Solved: Ignore rows without any values in timechart

rnvrnv · ‎03-06-2018

hi all,
I am trying to create a timechart of number of, for example errors in certain days. In result table i get list of all days. that is fine. what i would like to do now is only show row (day) where some data exist. Will appreciate your help.

regards,
rnv

niketn · ‎03-06-2018

@rnvrnv another option would be to use timechart with cont=f. Following is a run anywhere search based on Splunk's _internal index

index=_internal sourcetype=splunkd log_level!=INFO
| timechart span=1d count as ERRORS cont=f

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎03-06-2018

@rnvrnv another option would be to use timechart with cont=f. Following is a run anywhere search based on Splunk's _internal index

index=_internal sourcetype=splunkd log_level!=INFO
| timechart span=1d count as ERRORS cont=f

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

HiroshiSatoh · ‎03-06-2018

Try this!

(your search)
 | timechart span=1d count by XXX
↓
(your search)
 | bin _time span=1d
 | chart count over _time by XXX

Ignore rows without any values in timechart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation