Re: Replace no value with "0" (zero)

swengroeneveld · ‎05-12-2020

Hi all,

Since a few days I am in a battle regarding the following and I am on the loosing edge here. So all help is wanted of course.

Instead of "no result found" in the graph area, I want to have a visual but in that case all "0".

My query is as follows:

index=index host=test 
| rex field=_raw "(?ms)^(?:[^ \\n]* ){6}(?P<SyslogMessage>[^:]+)(?:[^ \\n]* ){7}(?P<src_ip>[^ ]+) to (?P<dest_ip>[^ ]+)"  
| eval msg = if(match(SyslogMessage,"%ABC-1-*"),"alert", if(match(SyslogMessage,"%ABC-2-*"),"critical","Other"))
| Search NOT msg="other"
| timechart span=360s count(msg) as cnt, first(BaseLine) as Baseline by msg
| eval BaseLine=8

I tried several options such as before the last |eval BaseLine=8:

| fillnull value=0 cnt

Looking for some magic.

S

to4kawa · ‎05-12-2020

|  timechart span=360s count(msg) as cnt, first(BaseLine) as Baseline by msg

please provide the results.

_time cnt: alert cnt: critical cnt: other Baseline: alert Baseline: critical Baseline: other

Is this?

Replace no value with "0" (zero)

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases