All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to include completely missing fields in results

acidkewpie
Path Finder
‎09-27-2012 07:20 AM

Hi,

I'm looking at charting the most common file types, based on a string in a log of "..., http_path=/a/b/c/blah.gif, next-field=..." for example. I've extracted the "gif" field easily enough, and so I can trivially see all file types. BUT how do I cover the case of there being no extension? e.g. "..., http_path=/a/b/app, next-field=..."? These web app locations are the significant majority of the requests, and I'd really like to have a "No Ext" chunk on my pie chart. How can I do this?

If I go back to where the log is generated, then I can hack out the extension there, make a new field, like http_ext and leave it empty, but that doesn't seem like the right thing to do.

Cheers

Chris

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎09-27-2012 07:45 AM

Do your extractions first, then for each event (before using stats functions), replace the fields that are null by a text value.

example for the field myfield;



| eval myfield=if(isnull(myfield),"missing",myfield)

View solution in original post

Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎09-27-2012 07:45 AM

Do your extractions first, then for each event (before using stats functions), replace the fields that are null by a text value.

example for the field myfield;



| eval myfield=if(isnull(myfield),"missing",myfield)

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎09-28-2012 10:55 AM

acid, thanks, I looked for this command for months !!!

0 Karma
Reply
Solved! Jump to solution

acidkewpie
Path Finder
‎09-28-2012 12:13 AM

Oh, hang on... Shouldn't this be using "| fillnull value=NONE myfield"? Isn't that going to be much more efficient?

0 Karma
Reply
Solved! Jump to solution

acidkewpie
Path Finder
‎09-27-2012 08:13 AM

brilliant, thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...