https://community.splunk.com/t5/Splunk-Search/How-to-return-events-with-or-without-a-value-in-a-specific-field/m-p/597466#M208012 <P>Your base search is looking for events where both case_number and session fields are available. To see everything, just remove that filter from base search, like this</P><LI-CODE lang="markup">index=cui botId=123456789 session=* | table case_number session</LI-CODE><P>&nbsp;If you want to display some different value instead of blanks/null, try this version</P><P>&nbsp;</P><LI-CODE lang="markup">index=cui botId=123456789 session=* | eval case_number=coalesce(case_number,"Not Available") | table case_number session</LI-CODE><P>&nbsp;</P> Wed, 11 May 2022 18:30:59 GMT somesoni2 2022-05-11T18:30:59Z https://community.splunk.com/t5/Splunk-Search/How-to-return-events-with-or-without-a-value-in-a-specific-field/m-p/597429#M207994 <P>Hi all!</P><P>I'm trying to create a table with case_number and session as the two columns.&nbsp;</P><P>Any event without a case_number won't show up in the table. How do I get them to show up?&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=cui botId=123456789 case_number=* session=* | table case_number session</LI-CODE><P>&nbsp;</P><P>&nbsp;I tried using <STRONG>| fields case_number</STRONG> instead, but this didn't work either.&nbsp;</P><P>Appreciate any help!&nbsp;</P> Wed, 11 May 2022 15:08:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-return-events-with-or-without-a-value-in-a-specific-field/m-p/597429#M207994 KyleMcDougall 2022-05-11T15:08:06Z https://community.splunk.com/t5/Splunk-Search/How-to-return-events-with-or-without-a-value-in-a-specific-field/m-p/597433#M207996 <P>Hi,</P><P>You can fill empty fields with fillnull command, try this ;&nbsp;</P><P>index=cui "your search" | fillnull case_number value=null | table case_number session</P> Wed, 11 May 2022 15:18:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-return-events-with-or-without-a-value-in-a-specific-field/m-p/597433#M207996 batabay 2022-05-11T15:18:03Z https://community.splunk.com/t5/Splunk-Search/How-to-return-events-with-or-without-a-value-in-a-specific-field/m-p/597442#M208001 <P>This is really good to know! But, I still wasn't able to get events without a case number to show up.&nbsp;</P><P>I think the<STRONG> case_number=*</STRONG> parameter is enforcing that a value is present for this field.&nbsp;</P> Wed, 11 May 2022 15:55:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-return-events-with-or-without-a-value-in-a-specific-field/m-p/597442#M208001 KyleMcDougall 2022-05-11T15:55:31Z https://community.splunk.com/t5/Splunk-Search/How-to-return-events-with-or-without-a-value-in-a-specific-field/m-p/597466#M208012 <P>Your base search is looking for events where both case_number and session fields are available. To see everything, just remove that filter from base search, like this</P><LI-CODE lang="markup">index=cui botId=123456789 session=* | table case_number session</LI-CODE><P>&nbsp;If you want to display some different value instead of blanks/null, try this version</P><P>&nbsp;</P><LI-CODE lang="markup">index=cui botId=123456789 session=* | eval case_number=coalesce(case_number,"Not Available") | table case_number session</LI-CODE><P>&nbsp;</P> Wed, 11 May 2022 18:30:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-return-events-with-or-without-a-value-in-a-specific-field/m-p/597466#M208012 somesoni2 2022-05-11T18:30:59Z https://community.splunk.com/t5/Splunk-Search/How-to-return-events-with-or-without-a-value-in-a-specific-field/m-p/597468#M208014 <P>For some reason, the case number field doesn't show up unless I add in "case_number=*'</P><P>Dually noted your eval command. I'm sure I'll end up using it if I can figure out how to get the blank case number values to populate.&nbsp;</P> Wed, 11 May 2022 18:47:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-return-events-with-or-without-a-value-in-a-specific-field/m-p/597468#M208014 KyleMcDougall 2022-05-11T18:47:47Z https://community.splunk.com/t5/Splunk-Search/How-to-return-events-with-or-without-a-value-in-a-specific-field/m-p/620917#M215835 <P>Hi,</P><P>&nbsp;</P><P>What you can try is</P><P>| fillnull value=</P><P>don't fill anything after the =</P><P>I'm having the same issue and this works for me, let me know if it works for you.</P> Tue, 15 Nov 2022 15:20:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-return-events-with-or-without-a-value-in-a-specific-field/m-p/620917#M215835 TDFlames 2022-11-15T15:20:26Z