Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timechart and Chart display buggy column "count" when using "limit=0"

Paolo_Prigione
Builder
‎07-14-2010 08:01 AM

I've noticed that on Splunk 4.1.3 the timechart and chart commands, when used with "limit=0", the "count" aggregation and split-by-clause, will add a "count" column to the results.

... | chart count limit=0 over _time by host
... | timechart limit=0 count by host

The results table will show something like:

_time host1 host2 count host3 ....

That fake, all-zeros, data series will display in reports and clicking on it would drilldown to a search filtered with host=count (in this example).

This happens even if using count(_raw), but does not happen with other stats, such as "max".

Splunk is 4.1.3 on a 64bit Linux box

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎07-15-2010 08:44 PM

I can confirm that this is a bug. Use the fields workaround for now 

<your search> | timechart limit=0 count by host | fields - count

We discovered the bug ourselves a few weeks ago and hopefully it'll be fixed before too long.

(its filed as SPL-32241 for splunkers following along)

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎07-15-2010 08:44 PM

I can confirm that this is a bug. Use the fields workaround for now 

<your search> | timechart limit=0 count by host | fields - count

We discovered the bug ourselves a few weeks ago and hopefully it'll be fixed before too long.

(its filed as SPL-32241 for splunkers following along)

Reply
Solved! Jump to solution

Paolo_Prigione
Builder
‎07-14-2010 08:02 AM

A workaround would be to pipe it all through the "fields" command

... | timechart limit=0 count by host | fields - count

to remove the erroneous column

0 Karma
Reply
Get Updates on the Splunk Community!

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

What's New in Splunk Observability - October 2025

What’s New?    We’re excited to announce the latest enhancements to Splunk Observability Cloud and share ...