Archive

How to eliminate zero values

Explorer

I am executing the following search query:
eventtype="some_error"| timechart span=1h count(eventtype)

The result shows by hour span. I want to show only the hour where the error count is greater than 0

Tags (1)
1 Solution

SplunkTrust
SplunkTrust

Try this

eventtype="some_error" | bucket span=1h _time | stats count(eventtype) by _time

View solution in original post

SplunkTrust
SplunkTrust

Try this

eventtype="some_error" | bucket span=1h _time | stats count(eventtype) by _time

View solution in original post