Solved: Re: count null timechart spans

mwcooley · ‎08-22-2018

Hi,

I have the following search that displays a table with time as rows and conferenceID as columns. i only want to include conferenceIDs (columns) where the sum > 1 and there are at least 2 non-zero spans.

My search:

index=myindex sourcetype=mysourcetype
| timechart span=7d count by ConferenceID limit=0 where sum > 1

I want to keep column 1, but not column 2:

          1001     1002
wk1         1        2
wk2         0        0
wk3         1        0
wk4         0        0

somesoni2 · ‎08-22-2018

Give this a try

index=myindex sourcetype=mysourcetype
| bucket span=7d _time
| stats count by _time ConferenceID
| eventstats dc(_time) as weeks by ConferenceID 
| where weeks>=2
| timechart span=7d sum(count) by ConferenceID limit=0

View solution in original post

somesoni2 · ‎08-22-2018

Give this a try

index=myindex sourcetype=mysourcetype
| bucket span=7d _time
| stats count by _time ConferenceID
| eventstats dc(_time) as weeks by ConferenceID 
| where weeks>=2
| timechart span=7d sum(count) by ConferenceID limit=0

mwcooley · ‎08-22-2018

Thanks somesoni2. works like a charm.

count null timechart spans

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation