Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

replace or hide aggregate 0s in timechart

zdavitiani_splu
Splunk Employee
Splunk Employee
‎08-25-2011 10:53 AM

I have a search that returns number of apache processes per host:

sourcetype="ps" earliest="-7m" | multikv filter apache | search USER="apache" | timechart span=30s count as linecount_apache by host

However, this results in 0 values for some hosts for last or first rows when, presumably, some data is out of range or isn't available yet. What would be the best way to hide or replace these 0s with nulls so they are not displayed on the report? Piping to eval or replace like this:

| eval linecount_apache=if(linecount_apache==0,null,linecount_apache)

seemed to have no effect on the result. Thank you.

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎08-25-2011 01:32 PM

Use the 'partial' argument to timechart:

| timechart span=30s count as linecount_apache by host partial=f

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timechart

partial
    Syntax: partial=<bool> 
    Description: Controls if partial time buckets should be retained or not. Only the first and last
    bucket could ever be partial. Defaults to True|T, meaning that they are retained.

View solution in original post

Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎08-25-2011 01:32 PM

Use the 'partial' argument to timechart:

| timechart span=30s count as linecount_apache by host partial=f

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timechart

partial
    Syntax: partial=<bool> 
    Description: Controls if partial time buckets should be retained or not. Only the first and last
    bucket could ever be partial. Defaults to True|T, meaning that they are retained.
Reply
Solved! Jump to solution

sophy
Splunk Employee
Splunk Employee
‎08-25-2011 11:37 AM

Hi! You can use the fillnull command, as described in this topic:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/fillnull

to fill the empty field values with NULL:

... | fillnull value=NULL

before the timechart command, for example:

... | fillnull linecount_apache=NULL | timechart span=30s count as linecount_apache by host

Hope this helps!

Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...