I have a scenario where one column needs to be indicated with Zero in the instance of no result. However, it's showing other fields as NULL. fillnull isn't working. index=dailyincidents earliest=-30d@d source=FW1-HKS-01 | dedup id | stats values(customer) AS Customer count AS QuarterlyVolume by source | appendpipe [stats count | eval QuarterlyVolume=0 | where count=0 | fields - count] I am using the above search and I'm seeing the below result. Nothing below source and Customer, Zero appears below QuarterlyVolume. source Customer QuarterlyVolume 0 I want to see the details of source and Customer as well. Similar issue has been discussed here: https://answers.splunk.com/answers/59589/no-results-found-to-be-represented-as-null-or-0.html ... View more

I appended 2 searches and each of them has "top Engineer" and now my result is like this. Engineer Escalated Closed Shaun 61 Smith 53 Arun 41 Sam 19 John 14 Jason 13 Eddy 12 Rich 9 Arun 114 John 93 Shaun 76 Eddy 74 Jason 46 Rich 38 Smith 16 Sam 12 How can I have a result like this ? Engineer Escalated Closed Shaun 61 76 Smith 53 16 Arun 41 114 Sam 19 12 John 14 93 Jason 13 46 Eddy 12 74 Rich 9 38 ... View more

I wish to run a query where I need to see if field1 has both entries in field2. Ex: I need to query the results like A & E which has both Escalated and Closed status. Field status A Escalated A Closed B Closed C Escalated D Escalated E Escalated E Closed ... View more

I am trying to create a report where same engineer has escalated a ticket and resolved it. Like Ticket 13440211 was escalated by shan and also closed by him as well. How can I create a query for this? Ticket status Engineer count 1 13440238 ESCALATED shan 10 2 13440211 CLOSED shan 74 3 13440211 ESCALATED shan 74 4 13440188 ESCALATED shan 2 5 13440144 ESCALATED shan 2 6 13440143 ESCALATED chan 15 6 13440143 CLOSED chan 15 7 13440143 ESCALATED shan 14 ... View more