https://community.splunk.com/t5/Splunk-Search/Why-is-my-fillnull-search-with-a-BY-clause-not-returning-any/m-p/220750#M64862 <P>and the final result</P> <PRE><CODE>| inputlookup channel2.csv| eval count=0, Channel=lower(Channel)| append [ search index=java host=*myhost* "PLACEORDER_API_UNSUCCESSFUL" orderSourceId=7 OR orderSourceId=6 OR orderSourceId=5 | eval Channel=lower(Channel) | stats count AS Failure BY Channel] |stats sum(count) AS Failure BY Channel | appendcols [search index=java host=*myhost* "PLACEORDER_API_SUCCESSFUL" orderSourceId=7 OR orderSourceId=6 OR orderSourceId=5 | eval Channel=case(orderSourceId == 7, "Desktop", orderSourceId == 6, "Andriod", orderSourceId == 5, "iOS") |stats count as Success by Channel]| appendcols [search (index=java host=*myhost* "Request received for placeOrder") OR (index=java host=*myhost* "PLACEORDER_API_REQUEST" orderSourceId=*) | transaction cartId maxspan=5sec| eval Channel=case(orderSourceId == 7, "Desktop", orderSourceId == 6, "Andriod", orderSourceId == 5, "iOS") | stats count by Channel] | eval Success_Percentage=(Success/(Success+Failure))*100 | table Channel Success Failure Success_Percentage </CODE></PRE> <P>Had to update the lookup a bit to get it to return the description as the Channel name</P> Tue, 15 Nov 2016 16:55:02 GMT tkwaller 2016-11-15T16:55:02Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-fillnull-search-with-a-BY-clause-not-returning-any/m-p/220743#M64855 <P>Hello</P> <P>Trying to get this search to work, it works if I remove the BY clause:</P> <PRE><CODE>index=java host=*myhost* "PLACEORDER_API_UNSUCCESSFUL" orderSourceId=7 OR orderSourceId=6 OR orderSourceId=5 | eval Channel=case(orderSourceId == 7, "Desktop", orderSourceId == 6, "Andriod", orderSourceId == 5, "iOS") | stats count AS Failure BY Channel </CODE></PRE> <P>The issue is that the base search does not return any results.</P> <P>I tried <CODE>| fillnull value=NULL</CODE> but it doesn't seem to work because of the BY clause. If I remove it, it works fine. </P> <P>Any ideas?<BR /> Thanks!</P> Tue, 15 Nov 2016 14:59:17 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-fillnull-search-with-a-BY-clause-not-returning-any/m-p/220743#M64855 tkwaller 2016-11-15T14:59:17Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-fillnull-search-with-a-BY-clause-not-returning-any/m-p/220744#M64856 <P>Hi tkwaller,<BR /> If your search runs when you remove the BY clause means that, in your events, you haven't the "Channel" field with values.<BR /> Verify if the field name is correct and in how many events is present.</P> <P>Bye.<BR /> Giuseppe</P> Tue, 15 Nov 2016 15:05:27 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-fillnull-search-with-a-BY-clause-not-returning-any/m-p/220744#M64856 gcusello 2016-11-15T15:05:27Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-fillnull-search-with-a-BY-clause-not-returning-any/m-p/220745#M64857 <P>No meaning if I remove the BY clause and run it with the fillnull command at the end it works fine:</P> <PRE><CODE>index=java host=*myhost* "PLACEORDER_API_UNSUCCESSFUL" orderSourceId=7 OR orderSourceId=6 OR orderSourceId=5 | eval Channel=case(orderSourceId == 7, "Desktop", orderSourceId == 6, "Andriod", orderSourceId == 5, "iOS") | stats count AS Failure | fillnull value=NULL` </CODE></PRE> Tue, 15 Nov 2016 15:07:53 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-fillnull-search-with-a-BY-clause-not-returning-any/m-p/220745#M64857 tkwaller 2016-11-15T15:07:53Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-fillnull-search-with-a-BY-clause-not-returning-any/m-p/220746#M64858 <P>Hi tkwaller,<BR /> Sorry but I didn't understand your need: </P> <UL> <LI>you have results running a stats count with BY clause,</LI> <LI>why you add the fillnull command? after a stats command you haven't any null results!</LI> <LI>"fillnull" replaces null values with a specified value;</LI> <LI>do you want to have the Channel values also without events? </LI> </UL> <P>if you need is to have all results for all the Channel values (both with or without events) you have to create a lookup table with all your Channels and run something like this:</P> <PRE><CODE> | inputlookup Channels.csv | eval count=0, Channel=lower(Channel) | append [ search yoursearch | eval Channel=lower(Channel) | stats count by Channel ] | stats sum(count) AS Total </CODE></PRE> <P>In this way you have all the results for Channels, both with or without events.</P> <P>Bye.<BR /> Giuseppe</P> Tue, 15 Nov 2016 15:22:53 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-fillnull-search-with-a-BY-clause-not-returning-any/m-p/220746#M64858 gcusello 2016-11-15T15:22:53Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-fillnull-search-with-a-BY-clause-not-returning-any/m-p/220747#M64859 <P>There are two ways you could do it.</P> <P>Option 1<BR /> Using your case statements you need to add double quotes for values 5, 6 and 7 on right side of evaluation expression.</P> <PRE><CODE>index=java host=*myhost* "PLACEORDER_API_UNSUCCESSFUL" orderSourceId=7 OR orderSourceId=6 OR orderSourceId=5 | eval Channel=case(orderSourceId == "7", "Desktop", orderSourceId == "6", "Andriod", orderSourceId == "5", "iOS") | stats count AS Failure BY Channel </CODE></PRE> <P>Option 2</P> <PRE><CODE>index=java host=*myhost* "PLACEORDER_API_UNSUCCESSFUL" orderSourceId=7 OR orderSourceId=6 OR orderSourceId=5 | eval Channel=orderSourceId | replace "7" with "Desktop" in Channel|replace "6" with "Android" in Channel| replace "5" with "iOS" in Channel| stats count AS Failure BY Channel </CODE></PRE> <P>PS: </P> <OL> <LI>Instead of eval Channel=orderSourceID you can also use rename orderSourceId as Channel.</LI> <LI>While Using replace command numbers 5, 6 and 7 need not be in double quotes, but safety does not harm <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></LI> </OL> Tue, 15 Nov 2016 15:24:41 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-fillnull-search-with-a-BY-clause-not-returning-any/m-p/220747#M64859 niketn 2016-11-15T15:24:41Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-fillnull-search-with-a-BY-clause-not-returning-any/m-p/220748#M64860 <P>Yes the lookup table worked. Thank you.</P> <P>Here is the reason I ask. I am trying to combine that search along with some other stuff to create a dashboard with. I got it working, just evaluating it now:</P> <PRE><CODE>| inputlookup channel.csv| eval count=0, Channel=lower(Channel)| append [ search index=java host=*myhost* "PLACEORDER_API_UNSUCCESSFUL" orderSourceId=7 OR orderSourceId=6 OR orderSourceId=5 | eval Channel=lower(Channel) | stats count AS Failure BY Channel]| stats sum(count) AS Failure BY Channel | appendcols [search index=java host=*myhost* "PLACEORDER_API_SUCCESSFUL" orderSourceId=7 OR orderSourceId=6 OR orderSourceId=5 | eval Channel=case(orderSourceId == 7, "Desktop", orderSourceId == 6, "Andriod", orderSourceId == 5, "iOS") |stats count as Success by Channel]| appendcols [search (index=java host=*myhost* "Request received for placeOrder") OR (index=java host=*myhost* "PLACEORDER_API_REQUEST" orderSourceId=*) | transaction cartId maxspan=5sec| eval Channel=case(orderSourceId == 7, "Desktop", orderSourceId == 6, "Andriod", orderSourceId == 5, "iOS") | stats count by Channel] | eval Success_Percentage=(Success/(Success+Failure))*100 | table Channel Success Failure Success_Percentage </CODE></PRE> Tue, 15 Nov 2016 16:17:06 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-fillnull-search-with-a-BY-clause-not-returning-any/m-p/220748#M64860 tkwaller 2016-11-15T16:17:06Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-fillnull-search-with-a-BY-clause-not-returning-any/m-p/220749#M64861 <P>the only thing I haven't figured out yet is how to get the description/Channel names included in the table.</P> <P>In the channel.csv I have a field called description that names the channels:<BR /> "Desktop", "Andriod", "iOS"</P> Tue, 15 Nov 2016 16:53:30 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-fillnull-search-with-a-BY-clause-not-returning-any/m-p/220749#M64861 tkwaller 2016-11-15T16:53:30Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-fillnull-search-with-a-BY-clause-not-returning-any/m-p/220750#M64862 <P>and the final result</P> <PRE><CODE>| inputlookup channel2.csv| eval count=0, Channel=lower(Channel)| append [ search index=java host=*myhost* "PLACEORDER_API_UNSUCCESSFUL" orderSourceId=7 OR orderSourceId=6 OR orderSourceId=5 | eval Channel=lower(Channel) | stats count AS Failure BY Channel] |stats sum(count) AS Failure BY Channel | appendcols [search index=java host=*myhost* "PLACEORDER_API_SUCCESSFUL" orderSourceId=7 OR orderSourceId=6 OR orderSourceId=5 | eval Channel=case(orderSourceId == 7, "Desktop", orderSourceId == 6, "Andriod", orderSourceId == 5, "iOS") |stats count as Success by Channel]| appendcols [search (index=java host=*myhost* "Request received for placeOrder") OR (index=java host=*myhost* "PLACEORDER_API_REQUEST" orderSourceId=*) | transaction cartId maxspan=5sec| eval Channel=case(orderSourceId == 7, "Desktop", orderSourceId == 6, "Andriod", orderSourceId == 5, "iOS") | stats count by Channel] | eval Success_Percentage=(Success/(Success+Failure))*100 | table Channel Success Failure Success_Percentage </CODE></PRE> <P>Had to update the lookup a bit to get it to return the description as the Channel name</P> Tue, 15 Nov 2016 16:55:02 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-fillnull-search-with-a-BY-clause-not-returning-any/m-p/220750#M64862 tkwaller 2016-11-15T16:55:02Z