I am executing the following search query:
eventtype="some_error"| timechart span=1h count(eventtype)
The result shows by hour span. I want to show only the hour where the error count is greater than 0
Try this
eventtype="some_error" | bucket span=1h _time | stats count(eventtype) by _time
Try this
eventtype="some_error" | bucket span=1h _time | stats count(eventtype) by _time