All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are "NULL" value data points being displayed and graphed on dashboards?

jmaple
Communicator
‎09-02-2014 09:39 AM

I have data coming in from the "sep" handlers but it seems the dashboards only want to parse "NULL" values and display them on the dashboards as data-points. My question is why does it pull non-existent values and graph them even though the data it's looking for isn't there? Why claim results where there are none? It should be noted that I'm not using the "symantec" index because all the "sep" sourcetype is being logged in the "winevent" (configured that way before I got here) index which the app is configured to use.

Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎09-02-2014 10:42 AM

The generic answer to your question is this:

When you search, Splunk retrieves the events and then extracts the field information. Some events may be missing fields, but Splunk doesn't care.

But when you report, Splunk will assign NULL to missing fields; otherwise, all the events will not be represented. Some commands, for example chart and timechart, have an option usenull=f which will suppress the null values.

An even better technique is to exclude events from the search if they don't have the necessary fields. If you put something like this in your search

action=*

then Splunk will only retrieve events that have some value in the action field.

View solution in original post

Reply
Solved! Jump to solution

rstrong30
Loves-to-Learn
‎01-10-2019 11:34 AM

usenull=f useother=f

DOES NOT WORK! Splunk is somehow pulling data with no fields. The hostname is the simplest thing in the world for it to pull yet it is determined to and blank field values for hosts. Customers did no simply forget to add the host value to their forwarders!

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎09-02-2014 10:42 AM

The generic answer to your question is this:

When you search, Splunk retrieves the events and then extracts the field information. Some events may be missing fields, but Splunk doesn't care.

But when you report, Splunk will assign NULL to missing fields; otherwise, all the events will not be represented. Some commands, for example chart and timechart, have an option usenull=f which will suppress the null values.

An even better technique is to exclude events from the search if they don't have the necessary fields. If you put something like this in your search

action=*

then Splunk will only retrieve events that have some value in the action field.

Reply
Solved! Jump to solution

jmaple
Communicator
‎09-02-2014 01:43 PM

I see now that, with some of the saved searches, it's using properties like you've described. It's searching for fields that don't exist. I just find it odd that it graphs them without knowing the actual information.

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎09-02-2014 10:38 AM

I don't think the community will be able to help very much util we have more info.

Can you post one of the searches that is getting NULL values?

We might also want to see a sample of the data (obfuscated) and understand the fields a bit.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...