Splunk Search

fillnull not working

logloganathan
Motivator

I have a query
base query | stats count by ABC | fillnull

but i am getting "no result"

instead of this, i want to display ABC count as "zero"

Tags (1)
0 Karma
1 Solution

kmaron
Motivator

Try this - from here: https://answers.splunk.com/answers/467823/if-there-are-no-results-found-how-do-i-get-my-sear.html

base query | stats count by ABC
 | appendpipe [ stats count | eval "NoResults"="0"  | where count=0 |table "NoResults"]

View solution in original post

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Try this

base query 
| append [|makeresults | eval count=""]
| stats count by ABC
|eval count=if(isnotnull(count),0,'count')
0 Karma

logloganathan
Motivator

Thanks for your help..still same result when i use this query

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Works on mine..

0 Karma

kmaron
Motivator

Try this - from here: https://answers.splunk.com/answers/467823/if-there-are-no-results-found-how-do-i-get-my-sear.html

base query | stats count by ABC
 | appendpipe [ stats count | eval "NoResults"="0"  | where count=0 |table "NoResults"]
0 Karma

logloganathan
Motivator

Awesome...i tried this query and its working fine..

0 Karma

FrankVl
Ultra Champion

I don't entirely follow what you're trying to achieve, but the purpose of fillnull is to populate empty fields with a null value, not to generate results when there are none. When the stats command returns 0 results, there is nothing to apply "fillnull" on.

If you can elaborate a bit more what you want to achieve (and if possible show some sample data and expected outcomes) we can try and help you find a solution that does work.

0 Karma

logloganathan
Motivator

stats command displaying "no result found" but i need value zero to be displayed

0 Karma

p_gurav
Champion

can you try :

 | stats count AS abc_count by ABC | fillnull abc_count value=0
0 Karma

logloganathan
Motivator

still i am getting the same result

0 Karma

p_gurav
Champion

logloganathan
Motivator

yes..could you please modify and provide the query

0 Karma

p_gurav
Champion

Can you share whole query? Is ABC field exist?

logloganathan
Motivator

yes..it exist..please consider ABC is name of error

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...