×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Sageth1
New Member
Member since: ‎06-24-2015
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎06-24-2015
View All

Re: How to remove a specific value from timechart?

by in All Apps and Add-ons
‎06-30-2015 09:44 AM
‎06-30-2015 09:44 AM
This wasn't exact, but it got me there. It was displaying as a value, but it was actually (apparently) a field. This query gave me no results, but I modified my original query and added fields - VALUE and that worked. Now just to tidy up and make a bit more efficient. Thanks for your help. I didn't know about the 'fields' command. Final result: index=nest error_code!="VALUE"| fillnull value=NULL error_code | timechart usenull=f useother=f cont=false span=30m count BY error_code | fields - VALUE ... View more

Re: How to remove a specific value from timechart?

by in All Apps and Add-ons
‎06-30-2015 09:25 AM
‎06-30-2015 09:25 AM
Thanks for the insight. That gives me the same results (which is good because this is cleaner), but it still gives me the value of "VALUE" in the timechart ... View more

How to remove a specific value from timechart?

by in All Apps and Add-ons
‎06-30-2015 09:10 AM
‎06-30-2015 09:10 AM
I'm using the Nest for Splunk app and am trying to chart the number of power outages I have by duration. I've got the search working almost perfectly: index=nest | fillnull value=NULL error_code | addinfo | eval duration=(info_max_time - info_min_time) | timechart usenull=f useother=f cont=false span=30m count(duration) by error_code This gives me the values that I'm looking for (namely error_code=E23) over time, but it also charts a value called "VALUE" which, from what I can tell, is just an empty value in the error_code field. I can't figure out how to remove that VALUE entry to just show the valid error codes, which start with "E", "N" or "W." I tried using fillnull to make that entry null, and it doesn't break anything, but doesn't fix it. I also added the searches below, but they are definitely not what I'm looking for and I seem to lose the time/duration: | where error_code != "" and | where error_code != "VALUE" The error_code entry in question looks to be like this in the events field: equipment_type: electric error_code: fan_control_state: false Any ideas what I'm missing? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM