All Apps and Add-ons

Why are "NULL" value data points being displayed and graphed on dashboards?

jmaple
Communicator

I have data coming in from the "sep" handlers but it seems the dashboards only want to parse "NULL" values and display them on the dashboards as data-points. My question is why does it pull non-existent values and graph them even though the data it's looking for isn't there? Why claim results where there are none? It should be noted that I'm not using the "symantec" index because all the "sep" sourcetype is being logged in the "winevent" (configured that way before I got here) index which the app is configured to use.

1 Solution

lguinn2
Legend

The generic answer to your question is this:

When you search, Splunk retrieves the events and then extracts the field information. Some events may be missing fields, but Splunk doesn't care.

But when you report, Splunk will assign NULL to missing fields; otherwise, all the events will not be represented. Some commands, for example chart and timechart, have an option usenull=f which will suppress the null values.

An even better technique is to exclude events from the search if they don't have the necessary fields. If you put something like this in your search

action=*

then Splunk will only retrieve events that have some value in the action field.

View solution in original post

rstrong30
Loves-to-Learn

usenull=f useother=f

DOES NOT WORK! Splunk is somehow pulling data with no fields. The hostname is the simplest thing in the world for it to pull yet it is determined to and blank field values for hosts. Customers did no simply forget to add the host value to their forwarders!

0 Karma

lguinn2
Legend

The generic answer to your question is this:

When you search, Splunk retrieves the events and then extracts the field information. Some events may be missing fields, but Splunk doesn't care.

But when you report, Splunk will assign NULL to missing fields; otherwise, all the events will not be represented. Some commands, for example chart and timechart, have an option usenull=f which will suppress the null values.

An even better technique is to exclude events from the search if they don't have the necessary fields. If you put something like this in your search

action=*

then Splunk will only retrieve events that have some value in the action field.

jmaple
Communicator

I see now that, with some of the saved searches, it's using properties like you've described. It's searching for fields that don't exist. I just find it odd that it graphs them without knowing the actual information.

0 Karma

lguinn2
Legend

I don't think the community will be able to help very much util we have more info.

Can you post one of the searches that is getting NULL values?

We might also want to see a sample of the data (obfuscated) and understand the fields a bit.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...