https://community.splunk.com/t5/Splunk-Search/Only-show-null-values-from-timechart-values-source/m-p/317109#M94870 <P>Same, no result... I tried src, host or even source for &lt;&gt;</P> Mon, 10 Apr 2017 15:58:00 GMT splunkreal 2017-04-10T15:58:00Z https://community.splunk.com/t5/Splunk-Search/Only-show-null-values-from-timechart-values-source/m-p/317103#M94864 <P>Hello guys,</P> <P>could you tell me how to only show null cells from this kind of table, for alerting purpose?</P> <P>Search: index=* host=XXX source=/var/log* | eval ... | <STRONG>timechart span=1d values(source) by host</STRONG></P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/2737i1F05B29EA7E5D232/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Thanks.</P> Mon, 10 Apr 2017 14:41:09 GMT https://community.splunk.com/t5/Splunk-Search/Only-show-null-values-from-timechart-values-source/m-p/317103#M94864 splunkreal 2017-04-10T14:41:09Z https://community.splunk.com/t5/Splunk-Search/Only-show-null-values-from-timechart-values-source/m-p/317104#M94865 <PRE><CODE>| where isnull(myfieldname) </CODE></PRE> Mon, 10 Apr 2017 14:44:52 GMT https://community.splunk.com/t5/Splunk-Search/Only-show-null-values-from-timechart-values-source/m-p/317104#M94865 DalJeanis 2017-04-10T14:44:52Z https://community.splunk.com/t5/Splunk-Search/Only-show-null-values-from-timechart-values-source/m-p/317105#M94866 <P>It doesn't work, I tried <EM>values(source) as src</EM> then use | where isnull(src) but nothing changed...</P> <P>| where isnull(values(source)) = 'values' function is unsupported</P> Mon, 10 Apr 2017 14:57:41 GMT https://community.splunk.com/t5/Splunk-Search/Only-show-null-values-from-timechart-values-source/m-p/317105#M94866 splunkreal 2017-04-10T14:57:41Z https://community.splunk.com/t5/Splunk-Search/Only-show-null-values-from-timechart-values-source/m-p/317106#M94867 <P>I would setup alert based on this search</P> <PRE><CODE>index= host=XXX source=/var/log | eval ... | timechart span=1d values(source) by host | eval shouldAlert=0 | foreach * [eval shouldAlert=shouldAlert+if(isnull('&lt;&lt;FIELD&gt;&gt;') OR '&lt;&lt;FIELD&gt;&gt;'="",1,0) ] | where shouldAlert&gt;0 </CODE></PRE> <P>Basically it'll loop through all columns for a row and add 1 to shouldAlert field if there are null value in that rows. Later we only select rows where alert should be raised. You can then setup alert with condition 'if number of events greater than 0'</P> Mon, 10 Apr 2017 15:37:03 GMT https://community.splunk.com/t5/Splunk-Search/Only-show-null-values-from-timechart-values-source/m-p/317106#M94867 somesoni2 2017-04-10T15:37:03Z https://community.splunk.com/t5/Splunk-Search/Only-show-null-values-from-timechart-values-source/m-p/317107#M94868 <P>Just add this to the end:</P> <PRE><CODE>| eval NULLVALUE="NO" | foreach * [eval NULLVALUE=if(isnull(&lt;&lt;FIELD&gt;&gt;), "YES", NULLVALUE)] | search NULLVALUE="YES" </CODE></PRE> Mon, 10 Apr 2017 15:46:05 GMT https://community.splunk.com/t5/Splunk-Search/Only-show-null-values-from-timechart-values-source/m-p/317107#M94868 woodcock 2017-04-10T15:46:05Z https://community.splunk.com/t5/Splunk-Search/Only-show-null-values-from-timechart-values-source/m-p/317108#M94869 <P>No result... I tried src, host or even source for &lt;&gt;</P> Mon, 10 Apr 2017 15:57:41 GMT https://community.splunk.com/t5/Splunk-Search/Only-show-null-values-from-timechart-values-source/m-p/317108#M94869 splunkreal 2017-04-10T15:57:41Z https://community.splunk.com/t5/Splunk-Search/Only-show-null-values-from-timechart-values-source/m-p/317109#M94870 <P>Same, no result... I tried src, host or even source for &lt;&gt;</P> Mon, 10 Apr 2017 15:58:00 GMT https://community.splunk.com/t5/Splunk-Search/Only-show-null-values-from-timechart-values-source/m-p/317109#M94870 splunkreal 2017-04-10T15:58:00Z https://community.splunk.com/t5/Splunk-Search/Only-show-null-values-from-timechart-values-source/m-p/317110#M94871 <P>YOu need to use literally '&lt;&gt;' there. No need to replace it with any field names.</P> Mon, 10 Apr 2017 16:08:34 GMT https://community.splunk.com/t5/Splunk-Search/Only-show-null-values-from-timechart-values-source/m-p/317110#M94871 somesoni2 2017-04-10T16:08:34Z https://community.splunk.com/t5/Splunk-Search/Only-show-null-values-from-timechart-values-source/m-p/317111#M94872 <P>Thanks a lot!</P> Mon, 10 Apr 2017 17:03:07 GMT https://community.splunk.com/t5/Splunk-Search/Only-show-null-values-from-timechart-values-source/m-p/317111#M94872 splunkreal 2017-04-10T17:03:07Z https://community.splunk.com/t5/Splunk-Search/Only-show-null-values-from-timechart-values-source/m-p/317112#M94873 <P>No, you do not need to change ANYTHING. Type it in EXACTLY as I had it and it will work.</P> Mon, 10 Apr 2017 17:13:12 GMT https://community.splunk.com/t5/Splunk-Search/Only-show-null-values-from-timechart-values-source/m-p/317112#M94873 woodcock 2017-04-10T17:13:12Z