Hi,
I have a very basic timechart from the below search. Just counts the number of events=40 (event ID). The issue is we had a logging problem and received no events for a specific time period before we resolved the issue. This means the timechart has a drop to zero then back up to usual levels. Can I remove this from the timechart somehow?
Index=main event_type=40
| timechart count(src_ip) by sensor
That's because you haven't done exactly as I suggested
| foreach *
[| eval <<FIELD>>=if(<<FIELD>>=0,null(),<<FIELD>>)]
The foreach command substitutes <<FIELD>> for each field name listed i.e. all (*) in this instance
Try something like this
index=main event_type=40
| timechart count(src_ip) by sensor
| foreach *
[| eval <<FIELD>>=if(<<FIELD>>=0,null(),<<FIELD>>)]
Unfortunately that has not made a difference.
Have zoomed in a bit here, can still see the drop. Basically want it to exclude between midnight on May 1st and continue the line straight to 1pm on May 3rd
That's because you haven't done exactly as I suggested
| foreach *
[| eval <<FIELD>>=if(<<FIELD>>=0,null(),<<FIELD>>)]
The foreach command substitutes <<FIELD>> for each field name listed i.e. all (*) in this instance
Thank you, that has done the job! Much appreciated
Have you set the format correctly
I have