All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get empty tag fields?

yzimmer
New Member
‎07-18-2016 01:24 AM

Hello everyone!

I actually create a statistic dashboard to get the "Event Coverage" of each Fields like that :

* | stats count(U*) as U* | transpose | rename column AS Property "row 1" AS Count | SORT -Count | eval total=if(Property ="U1708_DOCUMENTTITLE",Count,0) | eventstats sum(total) as ok | eval Percentage=round(Count*100/ok,2) | search Property !="U1708_DOCUMENTTITLE"| table Property Percentage

I would like to also have fields with 0% Event Coverage in my Dashboard (when it's all the time null).

How can I do that?

Thanks a lot

0 Karma
Reply

woodcock
Esteemed Legend
‎07-18-2016 07:42 AM

I think that one of these 2 approaches should work:

https://answers.splunk.com/answers/321170/fill-in-0-if-no-result-is-returned.html
https://answers.splunk.com/answers/293823/how-to-table-list-of-values-from-lookup-not-found.html

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-18-2016 02:17 AM

You have to insert an eval command for each field you use in your stats like the following:
|eval XXX=if(isnull(XXX)," ",XXX)
In this way you are sure that each record has enhanced the field.
Bye.
Giuseppe

0 Karma
Reply

yzimmer
New Member
‎07-18-2016 02:40 AM

Hi Giuseppe!

Thanks for your solution but that's can't work because fields don't exist in Splunk...
Normaly I have 60 fields but Splunk only get 40 fields in the search... So 20 of thems don't exist in Splunk (because they don't have value)...

Exemple (imagine) : Count of Fields = 4 and Count of Lines = 3

Field1|Field2|Field3|Field4
Hi |a |1 |
Hello |b ||
Hey |||

If I search "*" in Splunk search there is just Field1, Field2 & Field3 in the result, no trace of Field4, that's my problem...

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-18-2016 02:47 AM

what do you mean with "...only 40 fields in the search..." and "because they don't have value"?
I have a search with 72 fields displayed (using only 15 of them to search) and my searches correctly run.
In addition, if a field is defined I can give it a value also " ".
Bye.
Giuseppe

0 Karma
Reply

yzimmer
New Member
‎07-18-2016 03:07 AM

This picture is what Splunk propose for field :

http://www.hostingpics.net/viewer.php?id=531083Capture1.png

But if I do a search on empty field there is no result because there is no reference in Splunk...

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-18-2016 04:35 AM

try with fieldname=*,
in this way you can find logs also if the field is enhanced only in a few logs, and then put the field in evidence, in this way you can see it always is enhanced.
then if you try with the command "|eval XXX=if(isnull(XXX)," ",XXX)", in your stats you have all the logs with that field (both with value or space).
doing this for all interested fields you can have a stats with all your logs.
Use only fields you need because if you have many logs you decelerate your search.
Bye.
Giuseppe

0 Karma
Reply

yzimmer
New Member
‎07-18-2016 07:14 AM

I think the problem is not the search but is the DATA.
http://www.hostingpics.net/viewer.php?id=776656Sanstitre.png
Many fields have a "null" value. That's why I can't search them in Splunk...
https://answers.splunk.com/answers/137764/fields-disappear-in-search-app.html
In this post you can see the same problem

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-09-2016 04:17 AM

if you're satisfied of the answer, please, accept the answer.
Bye.
Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-18-2016 04:34 AM

try with fieldname=*, in this way you can find logs also if the field is enhanced only in a few logs, and then put the field in evidence, in this way you can see it always is enhanced.
then if you try with the command "|eval XXX=if(isnull(XXX)," ",XXX)", in your stats you have all the logs with that field (both with value or space).
doing this for all interested fields you can have a stats with all your logs.
Use only fields you need because if you have many logs you decelerate your search.
Bye.
giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...