https://community.splunk.com/t5/Splunk-Search/How-to-set-column-with-default-value-if-column-key-not-exist/m-p/291023#M87932 <P>Hi guys </P> <P>I added true(), 5 to the end. but it still not showing S0 column with default value 0. <BR /> In my data. each issue has its severity, so this time means there's no issue in severity S0. <BR /> but i want have a column S0 with value 0. <BR /> Please advise. </P> <P>Best<BR /> Xin</P> Fri, 12 May 2017 18:50:02 GMT hakusama1024 2017-05-12T18:50:02Z https://community.splunk.com/t5/Splunk-Search/How-to-set-column-with-default-value-if-column-key-not-exist/m-p/291020#M87929 <P>Hi guys</P> <P>I'm trying to create a statistic table for the data from jira. Each column has different severity for jira issue. <BR /> For example severity from S0 to S3, but there is no S0 level issue. So when i use the chart count b _time, severity it doesn't show the column for S0. I'm wondering is there any way to setup default value to 0 so i can see the missing column. <BR /> Thanks for help. </P> <P>the command i use:<BR /> index = "demo1" severity != null sdlc_phase !="closed"|dedup key| eval _time=strptime(created,"%Y-%m-%dT%H:%M:%S.000+0000") | bin _time span="1mon" | eval n_status=lower('severity') | eval sort_field=case(n_status=="s0", 1,n_status=="s1", 2,n_status=="s2", 3,n_status=="s3", 4, n_status=="TOTAL", 5 )| chart count by _time, severity |sort _time desc | fields - n_status sort_field | addtotals</P> <P>Best<BR /> Xin</P> Tue, 29 Sep 2020 14:03:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-set-column-with-default-value-if-column-key-not-exist/m-p/291020#M87929 hakusama1024 2020-09-29T14:03:34Z https://community.splunk.com/t5/Splunk-Search/How-to-set-column-with-default-value-if-column-key-not-exist/m-p/291021#M87930 <P>@hakusama1024, first off is severity value actually "null" in your events or do you actually want to filter out only event which have severity?</P> <P>Since you have used case for n_staus you can define the default value as 0 using either 1==1 or true() , following is an example</P> <PRE><CODE>eval sort_field=case( n_status=="s0", 1, n_status=="s1", 2, n_status=="s2", 3, n_status=="s3", 4, n_status=="TOTAL", 5, true(),0) </CODE></PRE> <P>Also, if you are already using chart command (or timechart command), you can directly use <CODE>span="1mon"</CODE>. </P> Fri, 12 May 2017 18:40:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-set-column-with-default-value-if-column-key-not-exist/m-p/291021#M87930 niketn 2017-05-12T18:40:09Z https://community.splunk.com/t5/Splunk-Search/How-to-set-column-with-default-value-if-column-key-not-exist/m-p/291022#M87931 <P>Try this<BR /> | eval sort_field=case(<BR /> n_status=="s0", "1",<BR /> n_status=="s1", "2",<BR /> n_status=="s2", "3",<BR /> n_status=="s3", "4",<BR /> n_status=="TOTAL"," 5",<BR /> true(),"0")</P> Tue, 29 Sep 2020 14:03:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-set-column-with-default-value-if-column-key-not-exist/m-p/291022#M87931 sravankaripe 2020-09-29T14:03:39Z https://community.splunk.com/t5/Splunk-Search/How-to-set-column-with-default-value-if-column-key-not-exist/m-p/291023#M87932 <P>Hi guys </P> <P>I added true(), 5 to the end. but it still not showing S0 column with default value 0. <BR /> In my data. each issue has its severity, so this time means there's no issue in severity S0. <BR /> but i want have a column S0 with value 0. <BR /> Please advise. </P> <P>Best<BR /> Xin</P> Fri, 12 May 2017 18:50:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-set-column-with-default-value-if-column-key-not-exist/m-p/291023#M87932 hakusama1024 2017-05-12T18:50:02Z https://community.splunk.com/t5/Splunk-Search/How-to-set-column-with-default-value-if-column-key-not-exist/m-p/291024#M87933 <P>All that you need to do is add this to your existing (almost working) search:</P> <PRE><CODE>| fillnull s0 s1 s2 s3 s4 s5 value=0 </CODE></PRE> <P>Whichever columns do not exist will be created and given a value of <CODE>0</CODE>.</P> Wed, 06 Sep 2017 02:11:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-set-column-with-default-value-if-column-key-not-exist/m-p/291024#M87933 woodcock 2017-09-06T02:11:25Z