Splunk Search

Is there a way I can remove a time period from my timechart?

Midge87
Explorer

Hi,

 

I have a very basic timechart from the below search. Just counts the number of events=40 (event ID). The issue is we had a logging problem and received no events for a specific time period before we resolved the issue. This means the timechart has a drop to zero then back up to usual levels. Can I remove this from the timechart somehow?

 

 

Index=main event_type=40
| timechart count(src_ip) by sensor

 

 

1.PNG

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

That's because you haven't done exactly as I suggested

| foreach *
    [| eval <<FIELD>>=if(<<FIELD>>=0,null(),<<FIELD>>)]

The foreach command substitutes <<FIELD>> for each field name listed i.e. all (*) in this instance

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

index=main event_type=40
| timechart count(src_ip) by sensor
| foreach *
    [| eval <<FIELD>>=if(<<FIELD>>=0,null(),<<FIELD>>)]
0 Karma

Midge87
Explorer

Unfortunately that has not made a difference. 2.PNG

 

Have zoomed in a bit here, can still see the drop. Basically want it to exclude between midnight on May 1st and continue the line straight to 1pm on May 3rd

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

That's because you haven't done exactly as I suggested

| foreach *
    [| eval <<FIELD>>=if(<<FIELD>>=0,null(),<<FIELD>>)]

The foreach command substitutes <<FIELD>> for each field name listed i.e. all (*) in this instance

0 Karma

Midge87
Explorer

Thank you, that has done the job! Much appreciated

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Have you set the format correctly

ITWhisperer_0-1652088477918.png

 

0 Karma

Midge87
Explorer

I have

3.PNG

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...