- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my search so that no results should be...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a scenario where one column needs to be indicated with Zero in the instance of no result. However, it's showing other fields as NULL. fillnull isn't working.
index=dailyincidents earliest=-30d@d source=FW1-HKS-01 | dedup id | stats values(customer) AS Customer count AS QuarterlyVolume by source | appendpipe [stats count | eval QuarterlyVolume=0 | where count=0 | fields - count]
I am using the above search and I'm seeing the below result. Nothing below source and Customer, Zero appears below QuarterlyVolume.
source Customer QuarterlyVolume
0
I want to see the details of source and Customer as well.
Similar issue has been discussed here:
https://answers.splunk.com/answers/59589/no-results-found-to-be-represented-as-null-or-0.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have set all fields in the subquery this way -
index=dailyincidents earliest=-30d@d source=FW1-HKS-01 | dedup id | stats values(customer) AS Customer count AS QuarterlyVolume by source | appendpipe [ stats count | eval Customer="NA" | eval QuarterlyVolume=0 | eval source="FW1-HKS-01" | where count==0 | fields - count ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have set all fields in the subquery this way -
index=dailyincidents earliest=-30d@d source=FW1-HKS-01 | dedup id | stats values(customer) AS Customer count AS QuarterlyVolume by source | appendpipe [ stats count | eval Customer="NA" | eval QuarterlyVolume=0 | eval source="FW1-HKS-01" | where count==0 | fields - count ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I use that I am seeing NA as Customer in the result. I am expecting something like below
source Customer QuarterlyVolume
FW1-HKS-01 Customer_Name 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you know the customer name, then hardcode it the same way we hardcoded source field -
index=dailyincidents earliest=-30d@d source=FW1-HKS-01 | dedup id | stats values(customer) AS Customer count AS QuarterlyVolume by source | appendpipe [ stats count | eval Customer="Customer_Name" | eval QuarterlyVolume=0 | eval source="FW1-HKS-01" | where count==0 | fields - count ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This helps but I would face the problem when I seach for a source which could be linked to any Customer. If I search with source I like to see Customer and source automatically like I used to see when I run the below query and the event count is not zero.
index=dailyincidents earliest=-30d@d source=FW1-HKS-01 | dedup id | stats values(customer) AS Customer count AS QuarterlyVolume by source
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
