Hi,

I tried this option but count is still appearing.

Best Regards
Hitesh

Did you mean a field called count or some other field with the count in it? Whatever field you don't want to show up, replace count in my suggestion with the name of that field.

I think its the Value field which evaluates to either 0 or 1. I tried fields - Value. But still the number is coming over there. Its not count field. Its Value field which is used in rengemap function

-Hitesh

I did the following search and it worked the way you are expecting, with just the range column and not the Value column:

index=_internal 
| table eventtype 
| mvexpand eventtype 
| dedup eventtype 
| eval Value=if(eventtype!="splunkd-log",1,0) 
| rangemap field=Value splunkdlog=0-0 other=1-100 
| fields - Value

Does this work similarly for you?

No, its not working that way. OK I will provide some more details. Here is my Splunk Query:

index="_internal" source="metrics.lo" group=tcpin_connections | eval sourceHost=if(isnull(hostname), sourceHost,hostname) | eval connectionType=case(fwdType=="uf","universal forwarder", fwdType=="lwf", "lightweight forwarder",fwdType=="full", "heavy forwarder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk forwarder", connectionType=="raw" or connectionType=="rawSSL","syslog")| eval build=if(isnull(build),"n/a",build) | eval version=if(isnull(version),"pre 4.2",version) | eval guid=if(isnull(guid),sourceHost,guid) | eval os=if(isnull(os),"n/a",os)| eval arch=if(isnull(arch),"n/a",arch) | fields connectionType sourceIp sourceHost sourcePort destPort kb tcp_eps tcp_Kprocessed tcp_KBps splunk_server build version os arch guid |stats latest(version) by sourceHost os connectionType arch|search sourceHost=$Host$|stats count|eval Value= if(count == 0, 0, 1)| rangemap field=Value severe=150-200 low=0-100 | fields - Value

I tried with both fields - count and fields - Value , but no is still appearing. Is there any way I can hide this count from dashboard xml. The corresponding entry in xml is:

    <title>Availability of $Host$</title>
    <searchString>....</searchString>
    <earliestTime>rt-60s</earliestTime>
    <latestTime>rtnow</latestTime>
    <option name="drilldown">none</option>
    <option name="classField">range</option>
    <option name="linkView">search</option>
  </single>

Please help

I've tried my suggestion in both simple and advanced XML and it's working in both places - the Value column is not there and the range column is. I'm still not sure what's going on with yours.

Can you please do the following: Cut off your search string after the last stats count (before the eval Value clause) and post a sample table (columns and rows with values) that you get in response. Maybe that will point us the right way.

Eve if I remove these fields the name of the VM starts to appear, then if I write fields - sourceHost then os name begin to appear, likewise. After removing all fields to appear once again the Value fields begins to appear which is not getting removed even after writing fields - Value.

I understand while writing normal query if you write fields - Value then Value wont be there in result. But the case is regarding this query. So I think the query needs to be changed. Please help me in correcting this query to remove fields

Moreover I cannot remove search clause as I have to check the availibility of that VM.

One scenario at a time, please? Let's solve this one, and then ask your other one in a different question.

Anyways, I ran your search prior to the search sourceHost=$Host$ line, and I got a table with five columns: sourceHost, os, connectionType, arch and latest(version).

Doing the search sourceHost=$Host$ line will return the same table but listing only entries containing that host.

Doing stats count will return a table with just a count column and one row with the value representing the number of entries in the previous table.

Doing eval Value= if(count == 0, 0, 1) gets you a table with two columns, count and Value, and one row, with a number in count and either 1 or 0 in Value.

Doing rangemap field=Value severe=150-200 low=0-100 results in a table with count, Value and range columns, and one row. (Note, it makes no sense to do this. Value is always either 0 or 1. Doing a rangemap where low=0-100 will always get you low. I think you want to do the rangemap on count.)

Doing fields - Value count gets me just the range column, which I think is what you want. I made a simple dashboard with your search a tweaked version of your CSS, and I got a green "low", shifted over with space for the background image (which I don't have). Worked with a 7-day regular search and a 30-min realtime search.

There's nothing special about the query you have posted. The 'fields -` clause works for me here, and it should work for you, too.

OK, Let me tell you another scenario.

Here is the splunk Query:

index = azuremetricservice source="wmi:service" Name="MSSQLSERVER" | eval State=State|eval Value =if(State=="Running",1,0) | rangemap field=Value severe=0-0 low=1-100

The output is an icon. Now as soon as I make above query to execute in real time. The name MSSQLSERVER is getting displayed.

How is this possible that upon making query real time the name is appearing.

-Hitesh