Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search so that no results should be replaced with a zero (0)?

karthik4455
Explorer
‎05-22-2017 01:16 AM

I have a scenario where one column needs to be indicated with Zero in the instance of no result. However, it's showing other fields as NULL. fillnull isn't working.

index=dailyincidents earliest=-30d@d source=FW1-HKS-01 | dedup id | stats values(customer) AS Customer count AS QuarterlyVolume by source | appendpipe [stats count | eval QuarterlyVolume=0 | where count=0 | fields - count]

I am using the above search and I'm seeing the below result. Nothing below source and Customer, Zero appears below QuarterlyVolume.

source                                 Customer                          QuarterlyVolume
                                                                         0

I want to see the details of source and Customer as well.

Similar issue has been discussed here:
https://answers.splunk.com/answers/59589/no-results-found-to-be-represented-as-null-or-0.html

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dineshraj9
Builder
‎05-22-2017 02:28 AM

You have set all fields in the subquery this way -

index=dailyincidents earliest=-30d@d source=FW1-HKS-01 | dedup id | stats values(customer) AS Customer count AS QuarterlyVolume by source | appendpipe [ stats count | eval Customer="NA" | eval QuarterlyVolume=0 | eval source="FW1-HKS-01" | where count==0 | fields - count ]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

dineshraj9
Builder
‎05-22-2017 02:28 AM

You have set all fields in the subquery this way -

index=dailyincidents earliest=-30d@d source=FW1-HKS-01 | dedup id | stats values(customer) AS Customer count AS QuarterlyVolume by source | appendpipe [ stats count | eval Customer="NA" | eval QuarterlyVolume=0 | eval source="FW1-HKS-01" | where count==0 | fields - count ]
0 Karma
Reply
Solved! Jump to solution

karthik4455
Explorer
‎05-22-2017 02:43 AM

If I use that I am seeing NA as Customer in the result. I am expecting something like below

source Customer QuarterlyVolume
FW1-HKS-01 Customer_Name 0

0 Karma
Reply
Solved! Jump to solution

dineshraj9
Builder
‎05-22-2017 02:47 AM

If you know the customer name, then hardcode it the same way we hardcoded source field -

 index=dailyincidents earliest=-30d@d source=FW1-HKS-01 | dedup id | stats values(customer) AS Customer count AS QuarterlyVolume by source | appendpipe [ stats count | eval Customer="Customer_Name" | eval QuarterlyVolume=0 | eval source="FW1-HKS-01" | where count==0 | fields - count ]
0 Karma
Reply
Solved! Jump to solution

karthik4455
Explorer
‎05-22-2017 03:12 AM

This helps but I would face the problem when I seach for a source which could be linked to any Customer. If I search with source I like to see Customer and source automatically like I used to see when I run the below query and the event count is not zero.

index=dailyincidents earliest=-30d@d source=FW1-HKS-01 | dedup id | stats values(customer) AS Customer count AS QuarterlyVolume by source

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...