Archive
Highlighted

Counting values

Explorer

Hi,
i have a key value pair say FTYPE=VAL1 and FTYPE=VAL2 and create a timechart with

earliest=-1d@d latest=now | timechart
count(eval(FTYPE=VAL1)) as TYPE1, count(eval(FTYPE="VAL2")) as TYPE2

All for sudden i notice that the expected numbers are wrong because some of the FTYPE values are blank like FTYPE=

How can i create the timechart where blank FTYPE values are treated as VAL1? I tried something like
count(eval(FTYPE=VAL1 OR FTYPE="")) as TYPE1

somehow that doesn't work either.

Any ideas? Many thanks ...

Tags (1)
0 Karma
Highlighted

Re: Counting values

Influencer

You test for null like this : isnull(field)
So your search would be :

FTYPE=VAL1 OR isnull(FTYPE)

or, you could jsut do this beforehand :

... | eval FTYPE=if(isnull(FTYPE),"VAL1",FTYPE) | ...

View solution in original post

0 Karma