Solved: Re: How to show only fields over 0?

vtsguerrero · ‎07-30-2014

I have a query like this:
index=main Product=$product$ | time chart count by Quantity
But I need it to return only values > 0
What should I change here?
Thanks in advance!

strive · ‎07-30-2014

index=main Product=$product$ | timechart count by Quantity | where count > 0

Updated

The search wont work when the timechart output is like this

_time Quantity1  Quantity2 Quantity3
T1     100        0         120
T2      0         1          1

If you just need quantities where count is greater than zero., then use stats

index=main Product=$product$ | stats count by Quantity | where count > 0

If you want to show timechart and not to show dips when value is zero then do this

index=main Product=$product$ | timechart cont=f count by Quantity

View solution in original post

strive · ‎07-30-2014

index=main Product=$product$ | timechart count by Quantity | where count > 0

Updated

The search wont work when the timechart output is like this

_time Quantity1  Quantity2 Quantity3
T1     100        0         120
T2      0         1          1

If you just need quantities where count is greater than zero., then use stats

index=main Product=$product$ | stats count by Quantity | where count > 0

If you want to show timechart and not to show dips when value is zero then do this

index=main Product=$product$ | timechart cont=f count by Quantity

flacunsia · ‎04-23-2015

cont=f did the trick with timechart... thanks!

How to show only fields over 0?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation