Splunk Search

Timechart value not setting after post process

jchang23
Explorer

I have a search and then a table and following that table is a post process.

Search
Table
Post-Process (| timechart span=15m count by finalError)
HiddenChartFormatter
JSChart

My problem is that for the finalError field on the timechart its coming up as null. It is graphing all the numbers correctly, but the legend to the right of the chart that shows which fields are which colors says "NULL". I would like that to say FinalError

I have tried doing | timechart span=15m count by finalError AS finalError. that did not work. I tried using "replace with" no good.

I appreciate any suggestions. Thanks!

0 Karma

ppablo
Retired

Hi @jchang23

Assuming finalError is an actual field name in your data that is correlated with the "NULL" data plotted on your timechart, then you should be able to use the rename command to change it from NULL to finalError. Check out the documentation on this command and see if it's what you need 🙂
http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Rename

ppablo
Retired

Cool no worries 🙂 thanks for following up!

0 Karma

jchang23
Explorer

Hey patrick, Yeah the thing is, the solution that i figured out in the end was not really related to my question and more so specific to my use case. I was just doing something silly in my search before my post process

0 Karma

ppablo
Retired

Hi @jchang23

Glad you got it figured out 🙂 Would you be able to post what the error was and how you found the solution? There was another question similar to yours (http://answers.splunk.com/answers/153755/why-are-null-value-data-points-being-displayed-and-graphed-... )and just wanted to see if it had the same answer you found or if there was another approach other folks could find useful. Thanks!

Patrick

0 Karma

jchang23
Explorer

Hey ppablo, thanks for the help. I realized I had an error elsewhere. I got it all figured out now.

Thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...