Solved: Need to return a field in a search even if it does...

anthonycopus · ‎08-27-2013

Hi,

I have a problem with a query which runs on an hourly basis as the fields that need to be returned can vary. The simple query is

index="test"  | fields app,action,category | fillnull value="unknown" | stats count by app,action,category

I have one action which contains the category and one without:

{"app": "testapp", "category": "test_cat", "action": "video_view"}
{"app": "testapp2", "action": "social"}

The issue arises as the stats table will not show anything unless the category is present in at least 1 event in the timerange. I.e. if I select a timerange with only the second event here using the query above, I receive no results. I need to receive field, even if only null.

I have also tried the following but it doesn't work:

index="test"  | fields app,action,category  | eval category=if(isnotnull(category),category,NULL)| fillnull value="unknown" | stats count by app,action,category

lukejadamec · ‎08-27-2013

Have you tried this?
index="test" app="*" OR action="*" OR category="*" | fillnull value=unknown app action category | stats count by app,action,category

View solution in original post

lukejadamec · ‎08-27-2013

Have you tried this?
index="test" app="*" OR action="*" OR category="*" | fillnull value=unknown app action category | stats count by app,action,category

anthonycopus · ‎08-27-2013

Thanks, this works perfectly for what I need!

sjscott · ‎05-14-2015

Worked great. Thanks!

Need to return a field in a search even if it doesn't exist

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!