Solved: Remove rows without result from timechart count qu...

jam00 · ‎05-19-2019

Hello,
I have the following query:
sourcetype=access_* action="purchase" | timechart count by productName usenull=f useother=f

And I get a timechart with zeros: https://imgur.com/a/XWdbIZH

Do you know a way to remove that rows with zeros? Is it possible to reference timechart "count" as a variable to use it with "where" command: | where $count$ > 0 , or something like that?

Thanks in advance

niketn · ‎05-19-2019

@jam00 you should try timechart option cont=f, the rows with all zeros will be removed.

sourcetype=access_* action="purchase" 
| timechart count by productName cont=f usenull=f useother=f

Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timechart#Optional_arguments

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎05-19-2019

@jam00 you should try timechart option cont=f, the rows with all zeros will be removed.

sourcetype=access_* action="purchase" 
| timechart count by productName cont=f usenull=f useother=f

Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timechart#Optional_arguments

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

jam00 · ‎05-19-2019

@niketnilay I hadn't considered that argument. Thank you so much.

Remove rows without result from timechart count query

Celebrating the Winners of the ‘Splunk Build-a-thon’ Hackathon!

Why You Should Register for Splunk University at .conf25

Building Splunk proficiency is a marathon, not a sprint

Are you a member of the Splunk Community?

Remove rows without result from timechart count query

Celebrating the Winners of the ‘Splunk Build-a-thon’ Hackathon!

Why You Should Register for Splunk University at .conf25

Building Splunk proficiency is a marathon, not a sprint