topic Re: Fillnull not working with chart in Splunk Search

Fillnull not working with chart

lyndac — Fri, 15 May 2015 15:13:42 GMT

I'm trying to create a simple chart of the number of tickets for a specified subsystem. However the subsystem field is not always provided. Currently, there is a "slice" in my pie chart for tickets with no subsystem, but it has no label (because the subsystem is empty). The search I'm using is index=myIndex | fillnull value="Not Provided" subsystem | chart count(ticket) by subsystem. I have tried moving the fillnull to after the chart command and I have tried value=NONE but no luck. Please help

Re: Fillnull not working with chart

lguinn2 — Fri, 15 May 2015 16:07:48 GMT

The problem is this: when charts counts by subsystem, events without a subsystem are not included. Try this instead:

index=myIndex 
| eval subsystem=if(isnull(subsystem),"Not Provided",subsystem)
| chart count(ticket) by subsystem

Re: Fillnull not working with chart

stephanefotso — Fri, 15 May 2015 16:08:18 GMT

Instead of fillnull, you could use this query:

index=myIndex| chart count(ticket) by subsystem|where subsystem != " "

Re: Fillnull not working with chart

lyndac — Fri, 15 May 2015 18:26:46 GMT

if I change the where clause to |where subsystem != "", this works by excluding all the null subsystems. I'd like to see the count of null subsystems, but I'd like there to be a label that says "Not Provided".

Re: Fillnull not working with chart

lyndac — Fri, 15 May 2015 18:30:33 GMT

Actually, I see a count of subsystems that have no value...it shows up as a slice of the pie with no label. I tried this solution and it didn't change anything.

Oddly, I used |eval subsystem=if (isnotnull(subsystem), "Not Provided", subsystem) and it changed ALL the subsystem values to "Not Provided".

Does splunk treat an empty string "" differently than a null value?

BTW -- this data was read in from a csv file where the data and looks like ,"", in the raw data.

Re: Fillnull not working with chart

lyndac — Fri, 15 May 2015 18:39:23 GMT

This works:

index=myIndex
|eval subsystem=if (subsystem == "", "Not Provided", subsystem)
| chart count(ticket) by subsystem

Re: Fillnull not working with chart

lguinn2 — Fri, 15 May 2015 18:57:55 GMT

In your test for "isnotnull", you are saying "if subsystem has any value, replace it with 'not provided'" - I don't think that it is odd.

Yes, an empty string is technically not a null. Try this

index=myIndex 
 | eval subsystem=if(subsystem=="","Not Provided",subsystem)
 | chart count(ticket) by subsystem

Oops, I see that you figured this out in another answer...

Re: Fillnull not working with chart

chimell — Fri, 15 May 2015 22:15:27 GMT

Hi lyndac

I think that you must simply retry like this :

index=myIndex | fillnull value=NONE subsystem | chart count(ticket) by subsystem

Look at this example it works well

sourcetype=access_* |fillnull value=NONE categoryId |chart count(action) as c by categoryId

And the result