topic FillNull In Timechart in Splunk Search

FillNull In Timechart

IRHM73 — Sun, 22 Apr 2018 16:00:05 GMT

Hi, I'm wondering whether someone may be able to help me please.

I'm using the following to extract metrics for a number of dimension values:

`wso2_wmf(RequestCompleted)` 
request.detail.Context="levy" OR
request.detail.Context="rates-list" OR
request.detail.Context="emp" OR
request.detail.Context="identity-verification" 
| fields request.detail.Context
| timechart span=1d limit=100 count by request.detail.Context
| fillnull value=0 request.detail.Contex

The problem I have is around the zero values and the 'fillnull'. It basically doesn't work.

I've tried shifting the position of the row within the query. I've then tried using usenull=t usestr=0 in the timechart line, but none of this works.

I just wondered whether someone may be able to point out where I've gone wrong?

Many thanks and kind regards

Chris

Re: FillNull In Timechart

skoelpin — Sun, 22 Apr 2018 16:06:24 GMT

Try this

`wso2_wmf(RequestCompleted)` 
 request.detail.Context="levy" OR
 request.detail.Context="rates-list" OR
 request.detail.Context="emp" OR
 request.detail.Context="identity-verification" 
 | fields request.detail.Context
 | timechart span=1d limit=100 count by request.detail.Context
| eval request.detail.Context=if(request.detail.Context="",0,'request.detail.Context')

Re: FillNull In Timechart

IRHM73 — Sun, 22 Apr 2018 16:14:07 GMT

Hi @skoelpin, thank you for taking the time to come back to me with this, but unfortunately it doesn't return any of the zero values.

Many thanks and kind regards

Chris

Re: FillNull In Timechart

skoelpin — Sun, 22 Apr 2018 16:18:40 GMT

I'm thinking it could be due to the fieldname. Try this to test it out

| timechart span=1d limit=100 count by request.detail.Context
| rename "request.detail.Context" AS Request
 | eval Request=if(Request="",0,'Request')

Re: FillNull In Timechart

IRHM73 — Sun, 22 Apr 2018 16:52:46 GMT

Hi thank you for coming back to me.

Unfortunately this doesn't make any difference to the figures returned.

Many thanks and regards

Chris

Re: FillNull In Timechart

woodcock — Sun, 22 Apr 2018 16:57:39 GMT

You are not making sense. You search says to get only events that HAVE A VALUE for field request.detail.Context (and furthermore that the value must be in this set: levy OR rates-list OR emp OR identity-verification ). Given this, it is IMPOSSIBLE to have a results set with any non-null value for request.detail.Context. So lets back up. Show a minimalist sample dataset. Show us the results that you are getting right now for your search, and mockup your desired result, pointing out the difference between the last two. As written right now, it is impossible for anyone to give you an answer.

Re: FillNull In Timechart

IRHM73 — Sun, 22 Apr 2018 18:04:57 GMT

@woodcock the issue seems to be around the span.

If I set my date range to 2, 3, or even 4 days, then I'm retrieving the zero metric columns. However when I set the date range to say 'yesterday' that is when the issue occurs.

Kind Regards

Chris

Re: FillNull In Timechart

IRHM73 — Sun, 22 Apr 2018 18:17:33 GMT

All,

Thank you for your time and trouble.

I found the solution here: https://answers.splunk.com/answers/523189/how-to-use-timechart-count-to-return-0-when-value.html

Have a good day.

Kind Regards

Chris

Re: FillNull In Timechart

woodcock — Sun, 22 Apr 2018 19:22:01 GMT

It is still unclear what the "issue" is. It would be crystal clear if you exemplified it as I suggested.