How to get empty tag fields?

yzimmer · ‎07-18-2016

Hello everyone!

I actually create a statistic dashboard to get the "Event Coverage" of each Fields like that :

* | stats count(U*) as U* | transpose | rename column AS Property "row 1" AS Count | SORT -Count | eval total=if(Property ="U1708_DOCUMENTTITLE",Count,0) | eventstats sum(total) as ok | eval Percentage=round(Count*100/ok,2) | search Property !="U1708_DOCUMENTTITLE"| table Property Percentage

I would like to also have fields with 0% Event Coverage in my Dashboard (when it's all the time null).

How can I do that?

Thanks a lot

woodcock · ‎07-18-2016

I think that one of these 2 approaches should work:

https://answers.splunk.com/answers/321170/fill-in-0-if-no-result-is-returned.html
https://answers.splunk.com/answers/293823/how-to-table-list-of-values-from-lookup-not-found.html

gcusello · ‎07-18-2016

You have to insert an eval command for each field you use in your stats like the following:
|eval XXX=if(isnull(XXX)," ",XXX)
In this way you are sure that each record has enhanced the field.
Bye.
Giuseppe

yzimmer · ‎07-18-2016

Hi Giuseppe!

Thanks for your solution but that's can't work because fields don't exist in Splunk...
Normaly I have 60 fields but Splunk only get 40 fields in the search... So 20 of thems don't exist in Splunk (because they don't have value)...

Exemple (imagine) : Count of Fields = 4 and Count of Lines = 3

Field1|Field2|Field3|Field4
Hi |a |1 |
Hello |b ||
Hey |||

If I search "*" in Splunk search there is just Field1, Field2 & Field3 in the result, no trace of Field4, that's my problem...

gcusello · ‎07-18-2016

what do you mean with "...only 40 fields in the search..." and "because they don't have value"?
I have a search with 72 fields displayed (using only 15 of them to search) and my searches correctly run.
In addition, if a field is defined I can give it a value also " ".
Bye.
Giuseppe

yzimmer · ‎07-18-2016

This picture is what Splunk propose for field :

http://www.hostingpics.net/viewer.php?id=531083Capture1.png

But if I do a search on empty field there is no result because there is no reference in Splunk...

gcusello · ‎07-18-2016

try with fieldname=*,
in this way you can find logs also if the field is enhanced only in a few logs, and then put the field in evidence, in this way you can see it always is enhanced.
then if you try with the command "|eval XXX=if(isnull(XXX)," ",XXX)", in your stats you have all the logs with that field (both with value or space).
doing this for all interested fields you can have a stats with all your logs.
Use only fields you need because if you have many logs you decelerate your search.
Bye.
Giuseppe

yzimmer · ‎07-18-2016

I think the problem is not the search but is the DATA.
http://www.hostingpics.net/viewer.php?id=776656Sanstitre.png
Many fields have a "null" value. That's why I can't search them in Splunk...
https://answers.splunk.com/answers/137764/fields-disappear-in-search-app.html
In this post you can see the same problem

gcusello · ‎09-09-2016

if you're satisfied of the answer, please, accept the answer.
Bye.
Giuseppe

gcusello · ‎07-18-2016

try with fieldname=*, in this way you can find logs also if the field is enhanced only in a few logs, and then put the field in evidence, in this way you can see it always is enhanced.
then if you try with the command "|eval XXX=if(isnull(XXX)," ",XXX)", in your stats you have all the logs with that field (both with value or space).
doing this for all interested fields you can have a stats with all your logs.
Use only fields you need because if you have many logs you decelerate your search.
Bye.
giuseppe

How to get empty tag fields?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms