I have a search result which returns me the following
Username,TimeOnVPN
user1,185.25
user2,1920.25
...
...
...
user6,
user7,
sourcetype="***" | rex "Duration:\s+((?
Here if you take user6 and user7 does not have a value which means like i need to substitute "0" for it. I tried the eval function which i have bolded and it's not working as expected.
Please let me know how to achieve it.
You could try fillnull: http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Fillnull
| fillnull value=0
This will fill any existing field that is null with the value "0"
| fillnull value=0 total
This will fill only the field named "total" with "0"
You can try changing your search-eval as mentioned below:-
sourcetype="" | rex "Duration:s+((?
Coalesce function will take first non null value from total or 0.
You could try fillnull: http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Fillnull
| fillnull value=0
This will fill any existing field that is null with the value "0"
| fillnull value=0 total
This will fill only the field named "total" with "0"