Splunk Search

How to accelerate a report and use fillnull or usenull with stats?

yacht_rock
Explorer

Splunk 6.2.2 ... I want to build an accelerated daily report. The search I want to power this daily report is...

index=myapp | iplocation dip | fillnull value=- | stats sum(eval(c2s_bytes+s2c_bytes)) AS "total_bytes" count by app, sip, sip_host, dip, Country

sip_host is a populated by an automatic lookup that links "sip" (source IP) to a host name. Country is populated by the iplocation lookup provided by Splunk.

Sometimes one or both of these fields will be blank, so by default, I need a way for stats to do its thing even when a field is blank/null. I've traced the reason to why Splunk says I can't accelerate this report to the fillnull command. Googling for stats info says there is a usenull flag for stats, but I couldn't find it in the documentation or get it to work.

How can I make stats use null/blank fields and/or make Splunk accelerate reports that use the fillnull command?

0 Karma
1 Solution

woodcock
Esteemed Legend

Try this:

index=myapp | iplocation dip | eval sip_host=coalesce(sip_host, "-") | eval Country=coalesce(Country, "-") | stats sum(eval(c2s_bytes+s2c_bytes)) AS "total_bytes" count by app, sip, sip_host, dip, Country

View solution in original post

woodcock
Esteemed Legend

Try this:

index=myapp | iplocation dip | eval sip_host=coalesce(sip_host, "-") | eval Country=coalesce(Country, "-") | stats sum(eval(c2s_bytes+s2c_bytes)) AS "total_bytes" count by app, sip, sip_host, dip, Country

yacht_rock
Explorer

This worked perfectly - the results are identical to my query, and it's accelerating like I wanted. Thank you!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...