Solved: How to show only fields over 0?

vtsguerrero · ‎07-30-2014

I have a query like this:
index=main Product=$product$ | time chart count by Quantity
But I need it to return only values > 0
What should I change here?
Thanks in advance!

strive · ‎07-30-2014

index=main Product=$product$ | timechart count by Quantity | where count > 0

Updated

The search wont work when the timechart output is like this

_time Quantity1  Quantity2 Quantity3
T1     100        0         120
T2      0         1          1

If you just need quantities where count is greater than zero., then use stats

index=main Product=$product$ | stats count by Quantity | where count > 0

If you want to show timechart and not to show dips when value is zero then do this

index=main Product=$product$ | timechart cont=f count by Quantity

View solution in original post

strive · ‎07-30-2014

index=main Product=$product$ | timechart count by Quantity | where count > 0

Updated

The search wont work when the timechart output is like this

_time Quantity1  Quantity2 Quantity3
T1     100        0         120
T2      0         1          1

If you just need quantities where count is greater than zero., then use stats

index=main Product=$product$ | stats count by Quantity | where count > 0

If you want to show timechart and not to show dips when value is zero then do this

index=main Product=$product$ | timechart cont=f count by Quantity

flacunsia · ‎04-23-2015

cont=f did the trick with timechart... thanks!

How to show only fields over 0?

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

How to show only fields over 0?

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES