https://community.splunk.com/t5/Getting-Data-In/Filtering-NULL-values-after-STATS/m-p/500170#M85227 <P>Hello Splunkers,</P> <P>First of all, than you all for such great community.</P> <P>I have a question. I am running a query in which I am using appendcols to append the results of a subsearch to my initial search. I am doing this because I am managing large datasets and I want to avoid using the JOIN command. My query is the following one:</P> <P>index=active_directory (source="<EM>ACTIVE_DIRECTORY</EM>") <BR /> | dedup NUUMA<BR /> | eval NUUMA=tostring(upper(NUUMA)) <BR /> | table NUUMA DISPLAYNAME UserAcControl</P> <P>| appendcols [search index=active_directory source="<EM>APP1</EM>" | dedup USERNAME | fields USERNAME UserAcControl |eval NUUMA=tostring(upper(USERNAME)) | fillnull value=NULL UserAcControl]</P> <P>| stats values(UserAcControl) count by NUUMA</P> <P>I am getting the results that I need, but after the STATS command, I need to select the UserAcControl attribute with NULL values. I have tried doing something like this, but it is not working:</P> <P>…| stats values(UserAcControl) count by NUUMA | where isnull(UserAcControl)</P> <P>I am attaching a screenshot showing the the values that I want to capture.</P> <P>Any thoughts??</P> <P>Thank you!!</P> <P><IMG src="https://community.splunk.com/storage/temp/291803-example-splunk.jpg" alt="alt text" /></P> Wed, 30 Sep 2020 05:27:37 GMT gmartinv 2020-09-30T05:27:37Z https://community.splunk.com/t5/Getting-Data-In/Filtering-NULL-values-after-STATS/m-p/500170#M85227 <P>Hello Splunkers,</P> <P>First of all, than you all for such great community.</P> <P>I have a question. I am running a query in which I am using appendcols to append the results of a subsearch to my initial search. I am doing this because I am managing large datasets and I want to avoid using the JOIN command. My query is the following one:</P> <P>index=active_directory (source="<EM>ACTIVE_DIRECTORY</EM>") <BR /> | dedup NUUMA<BR /> | eval NUUMA=tostring(upper(NUUMA)) <BR /> | table NUUMA DISPLAYNAME UserAcControl</P> <P>| appendcols [search index=active_directory source="<EM>APP1</EM>" | dedup USERNAME | fields USERNAME UserAcControl |eval NUUMA=tostring(upper(USERNAME)) | fillnull value=NULL UserAcControl]</P> <P>| stats values(UserAcControl) count by NUUMA</P> <P>I am getting the results that I need, but after the STATS command, I need to select the UserAcControl attribute with NULL values. I have tried doing something like this, but it is not working:</P> <P>…| stats values(UserAcControl) count by NUUMA | where isnull(UserAcControl)</P> <P>I am attaching a screenshot showing the the values that I want to capture.</P> <P>Any thoughts??</P> <P>Thank you!!</P> <P><IMG src="https://community.splunk.com/storage/temp/291803-example-splunk.jpg" alt="alt text" /></P> Wed, 30 Sep 2020 05:27:37 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-NULL-values-after-STATS/m-p/500170#M85227 gmartinv 2020-09-30T05:27:37Z https://community.splunk.com/t5/Getting-Data-In/Filtering-NULL-values-after-STATS/m-p/500171#M85228 <P><CODE>NULL</CODE> is nothing, not "NULL" string.</P> <P><CODE>| stats values(UserAcControl) count by NUUMA | where isnull(UserAcControl)</CODE> <BR /> → <CODE>| stats values(UserAcControl) as UserAcControl count by NUUMA | where UserAcControl="NULL"</CODE></P> Sun, 17 May 2020 22:57:20 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-NULL-values-after-STATS/m-p/500171#M85228 to4kawa 2020-05-17T22:57:20Z https://community.splunk.com/t5/Getting-Data-In/Filtering-NULL-values-after-STATS/m-p/500172#M85229 <P>Thank you!!</P> Sun, 17 May 2020 23:15:30 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-NULL-values-after-STATS/m-p/500172#M85229 gmartinv 2020-05-17T23:15:30Z