Solved: Events with null fields being discarded in results...

echojacques · ‎11-05-2013

Hello, in my search below, events with null fields are being discarded/excluded from the results. Specifically, any src_ip that doesn't have a region or a city gets excluded. Only src_ip's with complete geoip information (country & region & city) are included in the results. How can I modify this search so that I see all results including src_ip's with incomplete geoip information?

sourcetype="IPS" | geoip src_ip | stats sum(hit_count) as hits by src_ip country region city signature | table src_ip country region city signature hits | sort -hits | head 10

Thanks!

lguinn2 · ‎11-05-2013

Try this

sourcetype="IPS" 
| geoip src_ip 
| fillnull value="Unknown" country region city signature
| stats sum(hit_count) as hits by src_ip country region city signature 
| sort -hits
| head 10

View solution in original post

lguinn2 · ‎11-05-2013

Try this

sourcetype="IPS" 
| geoip src_ip 
| fillnull value="Unknown" country region city signature
| stats sum(hit_count) as hits by src_ip country region city signature 
| sort -hits
| head 10

echojacques · ‎11-05-2013

Thanks, this works perfectly! I really appreciate it.

Events with null fields being discarded in results?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life