https://community.splunk.com/t5/Splunk-Search/How-do-I-pull-a-stats-table-where-there-are-blank-fields-in/m-p/393250#M167407 <P>This is the event data:<BR /> ls1=INFO ls1Label=Severity ls2=MS SQL SERVER ls2Label=ServerType ls3=Command List ls3Label= cat=Audit sproc=ubuntu user=billy uid=DOMAIN\billybob dest= lhost=abrokenserver ohost=serverconnectedto CMD=su apt install *</P> <P>index=rootCMDs<BR /> | rex field=_raw "^[^ \n]* (?P[^ ]+)"<BR /> | rex field=_raw "^(?:[^|\n]<EM>|){5}(?P[^|]+)"<BR /> | rex field=_raw "ls3label=(?.</EM>)\scat="<BR /> | eval ls3label=case(isnull(ls3label),"NULL",1=1,dst) <BR /> | where isnotnull(ls3label) <BR /> | search dst=" "<BR /> | stats count by lhost, ls3label, sproc. user, uid<BR /> | sort 0 count desc</P> <P>When I pull the stats count I get no data but the even data lists everything and has hundreds of events where *="no data". How do I specifically search for the blank data only? Or is my search improperly formatted?</P> Tue, 29 Sep 2020 21:23:18 GMT reneedeleon 2020-09-29T21:23:18Z https://community.splunk.com/t5/Splunk-Search/How-do-I-pull-a-stats-table-where-there-are-blank-fields-in/m-p/393250#M167407 <P>This is the event data:<BR /> ls1=INFO ls1Label=Severity ls2=MS SQL SERVER ls2Label=ServerType ls3=Command List ls3Label= cat=Audit sproc=ubuntu user=billy uid=DOMAIN\billybob dest= lhost=abrokenserver ohost=serverconnectedto CMD=su apt install *</P> <P>index=rootCMDs<BR /> | rex field=_raw "^[^ \n]* (?P[^ ]+)"<BR /> | rex field=_raw "^(?:[^|\n]<EM>|){5}(?P[^|]+)"<BR /> | rex field=_raw "ls3label=(?.</EM>)\scat="<BR /> | eval ls3label=case(isnull(ls3label),"NULL",1=1,dst) <BR /> | where isnotnull(ls3label) <BR /> | search dst=" "<BR /> | stats count by lhost, ls3label, sproc. user, uid<BR /> | sort 0 count desc</P> <P>When I pull the stats count I get no data but the even data lists everything and has hundreds of events where *="no data". How do I specifically search for the blank data only? Or is my search improperly formatted?</P> Tue, 29 Sep 2020 21:23:18 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-pull-a-stats-table-where-there-are-blank-fields-in/m-p/393250#M167407 reneedeleon 2020-09-29T21:23:18Z https://community.splunk.com/t5/Splunk-Search/How-do-I-pull-a-stats-table-where-there-are-blank-fields-in/m-p/393251#M167408 <P>@reneedeleon</P> <P>Have you tried `fillnull' command to assigned default value instead of keeping null value?</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/7.1.3/SearchReference/Fillnull">http://docs.splunk.com/Documentation/Splunk/7.1.3/SearchReference/Fillnull</A></P> <PRE><CODE>| fillnull value="NA" lhost, ls3label, sproc. user, uid | stats count by lhost, ls3label, sproc. user, uid </CODE></PRE> Wed, 26 Sep 2018 18:28:37 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-pull-a-stats-table-where-there-are-blank-fields-in/m-p/393251#M167408 kamlesh_vaghela 2018-09-26T18:28:37Z https://community.splunk.com/t5/Splunk-Search/How-do-I-pull-a-stats-table-where-there-are-blank-fields-in/m-p/393252#M167409 <P>Converted comment to answer because that's the answer.</P> Thu, 27 Sep 2018 04:39:51 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-pull-a-stats-table-where-there-are-blank-fields-in/m-p/393252#M167409 DalJeanis 2018-09-27T04:39:51Z https://community.splunk.com/t5/Splunk-Search/How-do-I-pull-a-stats-table-where-there-are-blank-fields-in/m-p/393253#M167410 <P>Thank you Dal,</P> <PRE><CODE> Let me ask another question to the answer. Is it plausible to search multiple fields where there is data and NULL values. </CODE></PRE> <P>maybe:</P> <P>| search *=NULL OR | where *=NULL</P> Thu, 27 Sep 2018 11:36:25 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-pull-a-stats-table-where-there-are-blank-fields-in/m-p/393253#M167410 reneedeleon 2018-09-27T11:36:25Z