Hello everybody
my query :
index=logarithm SrcAddr="192.168.148.1"
|eval flag=case(DestAddr="192.168.148.7" OR DestAddr="192.168.148.8" OR DestAddr="192.168.148.24" ,"LAN 1",DestAddr="192.168.148.21" OR DestAddr="192.168.148.36" OR DestAddr="192.168.148.37" ,"LAN 4" , DestAddr="192.168.148.33" OR DestAddr="192.168.148.34" OR DestAddr="192.168.148.35","LAN 5")
|chart count over flag by DestAddr useother=f usenull=f
and in trellis mode there are all DestAddrs for each flag! (as we can see in picture)
but I want not to show DestAddrs with 0 values in every chart
by "LAN 1" just show "192.168.148.7" or "192.168.148.8" or "192.168.148.24"
by "LAN 4" just show "192.168.148.21" or "192.168.148.36" or "192.168.148.37"
by "LAN 5" just show "192.168.148.33" or "192.168.148.34" or "192.168.148.35
1 Solution
