Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

query when the field might not exist

afrancoi
Engager
‎12-02-2011 08:06 AM

I have two types of entries in my log

02DEC2011_16:02:18.065 22480138:5912 INFO ../src/s_ccls_storagemanager.cpp:7878 GRAIN Id=CCLS:5478193982531698702:4c067463037c0059 ReqType=GETAKBLOBS Uuid=7901790 sid=5681561375462916618

02DEC2011_16:01:44.962 20185372:4113 INFO ../src/s_ccls_storagemanager.cpp:7958 GRAIN Id=CCLS:5478192230185041938:4c0672c7037c0018 ReqType=GETAKBLOBS Uuid=2296490 hier_id=1 hier_name='GICS' mnemonic=GICS name='.GICS Sectors' sid=5681561740561350815

and I would like to do a query where I see the stats for count by mnemonic but also include the log entries without a mnemonic.

Tags (3)
Reply

rossikwan
Path Finder
‎07-31-2013 01:18 AM

Ref:
http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Fillnull

0 Karma
Reply

Ayn
Legend
‎12-02-2011 08:22 AM

Create a value for mnemonic in the case where it doesn't exist in the event:

... | fillnull value="N/A" mnemonic | stats count by mnemonic
Reply

Ayn
Legend
‎12-02-2011 08:27 AM

Glad it helped! Could you please mark my answer as accepted? Thanks!

0 Karma
Reply

afrancoi
Engager
‎12-02-2011 08:24 AM

Awesome! Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...