Splunk Search

Set values to 0 when there are no search results

mborn
New Member

Hi,

on Splunk Enterprise 6.6.5 I have the following problem:
I am using 3 saved searches in one dashboard via appendcols and have additional columns where I use the output from the saved searches to compute new values. However, for one search the column frequently stays blank asthere are no results in the chosen time frame instead of showing zeroes and so do the columns corresponding to searches using the empty column.
I would like to fill the empty column with zeroes and have the other columns use 0 as a value for their computations. filnull does not seem to help here.

Any help is much appreciated!

Thanks!

0 Karma

horsefez
SplunkTrust
SplunkTrust

Hi mborn,

you can also go for something like this.

<yoursearch> | eval <nameoffield>=if(isnull(<nameoffield>), "0", <nameoffield>)

mborn
New Member

Hi pyro_wood,

thanks for the help! While that suggestion did not quite do the trick (the result was the same in the end) I could figure out a way going from there. The search which lead to the column being filled with zeroes was:

| savedsearch | appendcols [ | savedsearch | appendpipe [ stats count | where count==0 | eval =0 | table ] ] | fillnull.

0 Karma

pradeepkumarg
Influencer

Can you explain more on why fillnull doesn't work for you? Make sure you do the fillnull prior to your computations and not at the end.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...