Solved: Chart count result process - replace zero with SPA...

rally0321 · ‎04-29-2022

I get below result when use Chart count over field-A by Field-B

We can see there are cell with value 0, is there any solution to replace these 0 with SPACE for particular cell? Thanks. replace 0 for over value 1 + by field value 1/4; replace 0 for over value 2 + by field value 3/5.

Over field value	by field value1	by field value2	by field value3	by field value 4	by field value5	Total
Over value 1	0	0	1	0	0	1
Over value 2	0	0	0	603	0	603
Over value 3	0	0	12	0	0	12
Over value 4	0	0	0	600	0	600

ITWhisperer · ‎04-29-2022

| eval "by field value2" = if('Over field value'="Over value 2" AND 'by field value2'=0, " ", 'by field value2')

View solution in original post

rally0321 · ‎04-29-2022

above command will replace 0 to space for all cells. Can we somehow replace the cell for selected row/column only?

for example replace 0 in row 2, column 2/5 to SPACE and leave 0 in row 2, column 3/6.

ITWhisperer · ‎04-29-2022

| eval "by field value2" = if('Over field value'="Over value 2" AND 'by field value2'=0, " ", 'by field value2')

ITWhisperer · ‎04-29-2022

Try something like this:

| foreach *
  [| eval "<<FIELD>>"=if('<<FIELD>>'=0," ",'<<FIELD>>')]

Chart count result process - replace zero with SPACE for particular cell

using Splunk Enterprise

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?