Splunk IT Service Intelligence
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

ITSI distinct count KPI: 0 vs. NULL values?

curtismcginity
Explorer
‎04-09-2019 01:45 PM

I have simple KPI giving a distinct count of a USER_ID field. Assume USER_ID exists for 100% of logged events. Within ITSI, the KPI is configured to "fill gaps in data" with NULL values and an Unknown threshold level.

During a time when no events were logged, the KPI maintained a 0 value (not the NULL value). Is this a bug, or some kind of expected behavior? Any suggestions on a workaround?

Reply

RickvdIJ
Explorer
‎11-08-2019 02:58 AM

Hi,

If you do a (distinct)count of something and there are no matching events, the result is 0.
This is expected behavior imho.

The resulting search is: | stats dc(USER_ID).

Perhaps you can create a counter field, where the result of an existing field is 0 or more. And without events this field will not be there?
eval counterfield=if(USER_ID=="",1,0)

Reply

curtismcginity
Explorer
‎02-10-2022 01:29 PM
If you do a (distinct)count of something and there are no matching events, the result is 0.
This is expected behavior imho.

Actually there's a very important distinction to make here. Suppose I ask you, "How many balls are inside the box in the next room?" Consider two scenarios:

  1. You walk into the next room, see the box, look inside, and see nothing. 
  2. You walk into the next room and see nothing. No box, no balls; nothing.

These are clearly not the same scenario, and so I would expect different behavior imho. Intuitively, a human would likely respond along the lines of

  1. "Zero!"
  2. "Uhm... there is no box!"

The fundamental issue is that any feasible response to a question implicitly validates the premise(s) of the question. In case 2, we need Splunk to return a result indicating our premise is false. Indeed, the "null value" config exists, at least in part, to make this distinction... assuming it works 😉

Reply

logankinman99
Path Finder
‎11-01-2019 08:44 AM

I have the exact opposite problem (but the same).
I have it set to show custom value 0 but it just shows Null.

0 Karma
Reply

RickvdIJ
Explorer
‎08-13-2019 03:29 AM

I have the same issue. I want to continue with the latest available value but the result is 0. If you run, investigate and expand the generated search you see ITSI is performing a: | stats dc(USER_ID) and with a macro it stores the result in a cache.

Statistically, a result of no occurences will result in the value 0.
I'm trying with streamstats, latest/earliest and such but no luck yet.

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎06-11-2019 07:36 AM

@curtismcginity - I think if you set that to NULL value it shows the discontinued chart.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...