- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Why are "NULL" value data points being displayed a...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have data coming in from the "sep" handlers but it seems the dashboards only want to parse "NULL" values and display them on the dashboards as data-points. My question is why does it pull non-existent values and graph them even though the data it's looking for isn't there? Why claim results where there are none? It should be noted that I'm not using the "symantec" index because all the "sep" sourcetype is being logged in the "winevent" (configured that way before I got here) index which the app is configured to use.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The generic answer to your question is this:
When you search, Splunk retrieves the events and then extracts the field information. Some events may be missing fields, but Splunk doesn't care.
But when you report, Splunk will assign NULL to missing fields; otherwise, all the events will not be represented. Some commands, for example chart and timechart, have an option usenull=f which will suppress the null values.
An even better technique is to exclude events from the search if they don't have the necessary fields. If you put something like this in your search
action=*
then Splunk will only retrieve events that have some value in the action field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
usenull=f useother=f
DOES NOT WORK! Splunk is somehow pulling data with no fields. The hostname is the simplest thing in the world for it to pull yet it is determined to and blank field values for hosts. Customers did no simply forget to add the host value to their forwarders!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The generic answer to your question is this:
When you search, Splunk retrieves the events and then extracts the field information. Some events may be missing fields, but Splunk doesn't care.
But when you report, Splunk will assign NULL to missing fields; otherwise, all the events will not be represented. Some commands, for example chart and timechart, have an option usenull=f which will suppress the null values.
An even better technique is to exclude events from the search if they don't have the necessary fields. If you put something like this in your search
action=*
then Splunk will only retrieve events that have some value in the action field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see now that, with some of the saved searches, it's using properties like you've described. It's searching for fields that don't exist. I just find it odd that it graphs them without knowing the actual information.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think the community will be able to help very much util we have more info.
Can you post one of the searches that is getting NULL values?
We might also want to see a sample of the data (obfuscated) and understand the fields a bit.
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
