Solved: Re: Is there a way I can remove a time period from...

Midge87 · ‎05-09-2022

Hi,

I have a very basic timechart from the below search. Just counts the number of events=40 (event ID). The issue is we had a logging problem and received no events for a specific time period before we resolved the issue. This means the timechart has a drop to zero then back up to usual levels. Can I remove this from the timechart somehow?

Index=main event_type=40
| timechart count(src_ip) by sensor

ITWhisperer · ‎05-09-2022

That's because you haven't done exactly as I suggested

| foreach *
    [| eval <<FIELD>>=if(<<FIELD>>=0,null(),<<FIELD>>)]

The foreach command substitutes <<FIELD>> for each field name listed i.e. all (*) in this instance

View solution in original post

ITWhisperer · ‎05-09-2022

Try something like this

index=main event_type=40
| timechart count(src_ip) by sensor
| foreach *
    [| eval <<FIELD>>=if(<<FIELD>>=0,null(),<<FIELD>>)]

Midge87 · ‎05-09-2022

Unfortunately that has not made a difference.

Have zoomed in a bit here, can still see the drop. Basically want it to exclude between midnight on May 1st and continue the line straight to 1pm on May 3rd

ITWhisperer · ‎05-09-2022

That's because you haven't done exactly as I suggested

| foreach *
    [| eval <<FIELD>>=if(<<FIELD>>=0,null(),<<FIELD>>)]

The foreach command substitutes <<FIELD>> for each field name listed i.e. all (*) in this instance

Midge87 · ‎05-09-2022

Thank you, that has done the job! Much appreciated

ITWhisperer · ‎05-09-2022

Have you set the format correctly

Midge87 · ‎05-09-2022

I have

Is there a way I can remove a time period from my timechart?

timechart

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor