Solved: Remove rows without result from timechart count qu...

jam00 · ‎05-19-2019

Hello,
I have the following query:
sourcetype=access_* action="purchase" | timechart count by productName usenull=f useother=f

And I get a timechart with zeros: https://imgur.com/a/XWdbIZH

Do you know a way to remove that rows with zeros? Is it possible to reference timechart "count" as a variable to use it with "where" command: | where $count$ > 0 , or something like that?

Thanks in advance

niketn · ‎05-19-2019

@jam00 you should try timechart option cont=f, the rows with all zeros will be removed.

sourcetype=access_* action="purchase" 
| timechart count by productName cont=f usenull=f useother=f

Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timechart#Optional_arguments

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎05-19-2019

@jam00 you should try timechart option cont=f, the rows with all zeros will be removed.

sourcetype=access_* action="purchase" 
| timechart count by productName cont=f usenull=f useother=f

Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timechart#Optional_arguments

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

jam00 · ‎05-19-2019

@niketnilay I hadn't considered that argument. Thank you so much.

Remove rows without result from timechart count query

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms