Solved: return events with null values in an eval function

edookati · ‎12-11-2014

I am using the below query, but few events in the logs don't have service_name values. They only have operation_name. I need to include these events in the results with only the operation name. Please help me.

index=jms_logs sourcetype=perflogs | eval service_operation = service_name.".".operation_name | table service_operation | dedup service_operation | sort service_operation

thanks.

somesoni2 · ‎12-11-2014

Try this

index=jms_logs sourcetype=perflogs | eval service_operation = coalesce(service_name.".","").operation_name | stats count by service_operation | table sort service_operation

The stats will automatically remove duplicates and sort.

View solution in original post

somesoni2 · ‎12-11-2014

Try this

index=jms_logs sourcetype=perflogs | eval service_operation = coalesce(service_name.".","").operation_name | stats count by service_operation | table sort service_operation

The stats will automatically remove duplicates and sort.

edookati · ‎12-11-2014

thanks. it worked

return events with null values in an eval function

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability