I have a search and then a table and following that table is a post process.
Post-Process (| timechart span=15m count by finalError)
My problem is that for the finalError field on the timechart its coming up as null. It is graphing all the numbers correctly, but the legend to the right of the chart that shows which fields are which colors says "NULL". I would like that to say FinalError
I have tried doing | timechart span=15m count by finalError AS finalError. that did not work. I tried using "replace with" no good.
I appreciate any suggestions. Thanks!
Assuming finalError is an actual field name in your data that is correlated with the "NULL" data plotted on your timechart, then you should be able to use the rename command to change it from NULL to finalError. Check out the documentation on this command and see if it's what you need 🙂
Hey patrick, Yeah the thing is, the solution that i figured out in the end was not really related to my question and more so specific to my use case. I was just doing something silly in my search before my post process
Glad you got it figured out 🙂 Would you be able to post what the error was and how you found the solution? There was another question similar to yours (http://answers.splunk.com/answers/153755/why-are-null-value-data-points-being-displayed-and-graphed-... )and just wanted to see if it had the same answer you found or if there was another approach other folks could find useful. Thanks!