Hello,
I have the following query:
. . . | iplocation ClientIP | eval GeoLocation=case(Country="United States", "United States", Country=" ", "Views from Unknown Origins", Country!="United States" AND Country!=" ", "International") | top limit=3 GeoLocation | eval percent = round(percent,2) . " %"
The output of this query returns results like this:
GeoLocation count percent
United States 900 90%
International 100 10%
However it is not returning if the value for Country is null, I've ran the search and I know for the given time range null values exist for the country field. Can this work within the eval case() query?
I figured out my own issue. fillnull fixed it!
Below is the working query:
| iplocation ClientIP | fillnull value="Unknown" Country | eval GeoLocation=case(Country="United States", "Views from the United States", Country="Unknown", "Views from Unknown Origins", Country!="United States" AND Country!="Unknown", "International Views") | top limit=3 GeoLocation | eval percent = round(percent,2) . " %"