How to display the last value of an event in place...

kkarthik2 · ‎07-14-2015

Example: My dashboard looks like

              1:00       2:00       3:00       4:00
 1. foo       100        200        -          -
 2. foo1      -          -          50         100
 3. foo3      50         100        200        -
 4. foo4      -          50         100        200

We need to replace "-" with 200 in "1.foo" and similarly for "3.foo3".

I have used filldown, but it is not working. Can someone help me with the search for this?

sourcetype="foo" | ....|chart max(S1) as S1 by foo, time | filldown S1.

alacercogitatus · ‎07-14-2015

You should be able to use the fillnull command.

sorucetype="foo" | ....|chart max(S1) as S1 by foo,time | fillnull value=200 S1

http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/fillnull

kkarthik2 · ‎07-14-2015

But It should showing in all the places wherever "-" presents. Plz look it below

                  1:00         2:00         3:00          4:00

foo 100 200 - -
foo1 - - 50 100
foo3 50 100 300 -
foo4 - 50 100 -

We need to replace "-" with 200 in "1.foo" at time of 3:00 and 4:00and similarly for "3.foo3" should replace 300 at time of 4:00. In 4.foo4 replace 100 at 4:00, not at 1:00

I have used filldown, but it is not working. Can someone help me with the search for this?

kkarthik2 · ‎07-14-2015

need to show latest value on remaining times for each row, once we get value reaches the target.

How to display the last value of an event in place of each of the remaining null values in a row?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio