fill in 0 when there is no data

mcohen13 · ‎06-11-2018

i have an index that calc amount of events for a specific domain name
this index have 3 fields: date,domain_name, event_count
if a domain have no event_count for a specific date than i don't have that record in the index
can i manipulate splunk into thinking that on missing dates for the last month the value was 0 (besides adding this data to the file)?

skoelpin · ‎06-11-2018

Yes, you can use | makeresults in your search to create that missing data then create some conditional logic to fill null values OR leave it as-is. Here's an example

| makeresults | eval domain_name=""
| [search index=.... <YOUR SEARCH>]
| eval domain_name=if(isnull(domain_name),"0",'domain_name')

mcohen13 · ‎06-11-2018

i get this error:
"Error in 'SearchParser': Subsearches are only valid as arguments to commands. Error at position '31' of search query '| makeresults | eval info="" | [search index="doma'."
The query:
| makeresults | eval info="" | [search index="domain_event_agg_info" event_domain="XXXX.YYY."] | eval info=if(isnull(event_count),"0",'event_count')

jlvix1 · ‎06-11-2018

Where are the events coming from that are in this index? Sounds to me like the data source itself is at fault and you're missing events, leaving you with gaping holes in your data because you should be getting zero-based events.

poete · ‎06-11-2018

Hi,

I think this is what you are looking for:
https://docs.splunk.com/Documentation/Splunk/7.1.0/SearchReference/Fillnull

mcohen13 · ‎06-11-2018

fillnull will not to the job
because i don't have null values in that field for a specific date
i have no values for that date

for example :
Query:
index="someindex" "domain"="domain_x" ] | chart max(event_count) over date
data:
date domain_x
2018-06-02 128
2018-06-03 623
2018-06-04 331

now i want to add that on other dates of the last month the value was 0 so i can call

niketn · ‎06-11-2018

@mcohen13, As far as your date field is having epoch time and not string time, fillnull should work. If it is string time then you either need to convert it to epoch using strptime() or use _time with span=1d instead.

Following is a run anywhere search based on Splunk's _internal index similar to your question (instead of 1d I have used 1h, to form more buckets).

index="_internal" "sourcetype"="splunkd" log_level=INFO
| chart span=1h max(cpu_seconds) as MaxValue over _time
| fillnull value=0 MaxValue

I have give max(cpu_seconds) an alias MaxValue and used fillnull for MaxValue. You can try without final fillnull command to see if Null Values are actually present or not.

Also, if you are plotting the result in chart, in the Chart Configuration Options i.e. Edit UI Panel and Format Visualization to change the Null Value to Zero to have similar efffect directly in chart (without using fillnull command).

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

jlvix1 · ‎06-11-2018

I thought fillnull is only good for charting? He never said he was charting, I think he needs to put in a whole record for that entry he is missing...

fill in 0 when there is no data

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life