Splunk Search

how to add just field name in the main result which have no result ,value just want to display the name .

hrs2019
Path Finder

Hello all

I want to display the field name(CNB) in the main result which has no result now but in future it ll.

I just want to showcase the total number of clients new and old.

CNB - new clients no data
PPN-old we have data
INB - old we have data

Want to display in table format

clients | recent time project update | number of users | by country

Thanks in advance.

0 Karma
1 Solution

to4kawa
Ultra Champion
| makeresults count=100
| eval count=random() % 3
| eval clients=case(count=1,"PPN",count=2,"INB",true(),NULL)
| stats values(_time) as Project_Update count as Number_of_Users by clients
| eval Project_Update=strftime(Project_Update,"%F")
| append 
    [| makeresults 
    | eval clients=split("CNB#PPN#INB","#")
    | mvexpand clients
    | eval Project_Update="N/A",Number_of_Users="N/A"
    | fields - _time]
| stats first(Project_Update) as Project_Update first(Number_of_Users) as Number_of_Users  by clients

For the time being, it looks like this.

so,

Create user.csv:

Clients
PPN
CNB
INB
.....

and

your_search
|table Clients "Project Update" "Number of Users" "by Country"
|inputlookup append=t user.csv
|fillnull value="N/A"

This is easy.

View solution in original post

0 Karma

to4kawa
Ultra Champion
| makeresults count=100
| eval count=random() % 3
| eval clients=case(count=1,"PPN",count=2,"INB",true(),NULL)
| stats values(_time) as Project_Update count as Number_of_Users by clients
| eval Project_Update=strftime(Project_Update,"%F")
| append 
    [| makeresults 
    | eval clients=split("CNB#PPN#INB","#")
    | mvexpand clients
    | eval Project_Update="N/A",Number_of_Users="N/A"
    | fields - _time]
| stats first(Project_Update) as Project_Update first(Number_of_Users) as Number_of_Users  by clients

For the time being, it looks like this.

so,

Create user.csv:

Clients
PPN
CNB
INB
.....

and

your_search
|table Clients "Project Update" "Number of Users" "by Country"
|inputlookup append=t user.csv
|fillnull value="N/A"

This is easy.

0 Karma

hrs2019
Path Finder

Thanks For your help @to4kawa
small info how i can add drildown option for
Clients
PPN-- opne in new page (with there details )
CNB -- opne in new page (with there details )
INB-- opne in new page (with there details )

0 Karma

to4kawa
Ultra Champion

I don't know.
you didn't provide your search details.

0 Karma

hrs2019
Path Finder

alt text

I want to display in the below format CNB dont have any value this is new client but PPN INB have.

0 Karma

hrs2019
Path Finder

@ololdach can you pls help me

0 Karma

ololdach
Builder

I've amended the answer below. Please always include sample data and an example of the output as it really helps to guess what you are up to 🙂

0 Karma

ololdach
Builder

Hi,

from a logical data flow point of view: First you need to get a list of all clients, those that have updates and/or users and those that don't. Either you query an index for "client creation events", select the data from another system/database or you use a lookup table/csv. Whatever you choose, you will get a one-column table with all clients like "PPN,CNB,XXD,TYZ...INB...etc.". Try this query to generate some data that show what the result would look like:

| makeresults | eval Clients="PPN,INB,CNB,XXA,etc" | table Clients | makemv delim="," Clients | mvexpand Clients 

Then you join the list with the stats results of the clients and finally, you fill the null values. The result should look something like this:

<Client Table generating search> | join type=left Clients [ search <your search generating the user/project events> | stats sum(users) as users, latest(project_id) as project_id by Clients] |fillnull value="N/A"

Use this example to generate some sample data for the join search:

| makeresults count=10 | eval users=random()%100 | eval Clients=if(users>50,"PPN","CNB") | eval project_id="Project v".users | stats sum(users) as users, latest(project_id) as project_id by Clients

The full query looks like this:

| makeresults | eval Clients="PPN,INB,CNB,XXA,etc" | table Clients | makemv delim="," Clients | mvexpand Clients | join type=left[| makeresults count=10 | eval users=random()%100 | eval Clients=if(users>50,"PPN","CNB") | eval project_id="Project v".users | stats sum(users) as users, latest(project_id) as project_id by Clients] | fillnull value="N/A"

Best
Oliver

0 Karma

to4kawa
Ultra Champion

sample log please

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...