Good afternoon all,
As a relative noob to Splunk searching, I have a relatively easy (I hope) question.
I have a Splunk box that is dedicated to testing and as such will have periods of no information coming in followed by periods of indexing for tests and then it goes back dormant.
Is there a way to filter out blanks out of results? For example, I have a query that looks at the traffic being indexed--and (huge surprise) there's gaps where no traffic at all was indexed. So it's null or blank or NaN or something. How do I get those records removed from the results?
Thank you in advance!
A bit confused - you say you have periods when no data whatsoever is coming in, but it seems you do get some data anyway, just that it contains null type values? Could you clarify what your logs look like, some sample events of the ones you want to ignore would be of great help.
I do not know which log format you are trying to index. But you can configure splunk not to index unwanted data. Please refer to the following manual.
I think I understand what you want. For example if you are counting events and expect data in the range 100-200 events but some times you get zero.
sourcetype=mydata purchase | timechart span=1d count by productID | where count > 10
The "where" will remove any days with less than 10 events and you can run any reporting on the remainder.
Yes. I've got days that I have less data because there is simply not a lot of data and days with no data because the box has been shut down for maintenance or to move it. So, I don't want to see those in my timechart.
Hmmm...I will need to work with this. I keep getting no results returned when I put in the where.
index=internal source=*licenseusage.log | eval MB=b/1024/1024 | timechart span=1d sum(MB) | where (MB > 500)
I'm trying to get a chart like the one I describe below.
Edited to add....
I've tried a couple of ways to get those fields out using the "where" command, but when I put it in, I get the text under the search bar saying "3 results" and then nothing in the datatable.
I don't understand that keyword apparently.
I was originally doing a timechart with a span of 1 day--and it appears that while my original query excluded the blank values, the timechart appears to fill in for days that are blank. I'll try with your suggestions and report back.
In short, I'm trying to put together a saved search that puts together a chart of days we've exceeded the license count so that it can be processed by another system using the CLI or REST. Something along the lines of:
The box is occasionally turned off for various reasons, including being moved, serviced or having hardware swapped in and out. So, I end up with values that are blank/null/something. There are also days where we don't have enough traffic to be included on the chart because I want only the values that are over the license limit.
So, my first thought was a timechart--but that ended up with a whole slew of empty or unimportant low values. And, no matter what I did, I could not get it to hide the rows with nothing in them.
So, I'll try your suggestions and see if I can get it to work that way.
I'm doing the following query:
index=internal source=*licenseusage.log | eval MB=b/1024/1024 | timechart span=1d sum(MB)
When there's no "where" it renders fine. It's a problem with where.