Hey everyone,
I have an issues with a table that has an empty column:
index=_internal
| head 10
| table _time host "my field"
Using Splunk 6.5.2 this results in a table with three columns: _time
, host
and my field
.
When I click on any column header for sorting the column my field
disappears.
Even fillnull
does not work as I expected:
index=_internal
| head 10
| table _time host "my field"
| fillnull value="some value"
There is no filling, and sorting will make the column my field
disappear, again.
What is working, but is clunky since I will have 15+ fields that might change some time in future:
index=_internal
| head 10
| table _time host "my field"
| fillnull value="" "my field"
In my case I am actually using an eval
prior in order to calculate the my field
value. Since the source field is rarely present, the result is mostly NULL
. As if I was doing this:
index=_internal
| head 10
| eval "my field"=null()
| table _time host "my field"
| fillnull value=""
(same problem)
I hope I just missed something obvious.
All the best,
Björn
Like this (field names with spaces are E*V*I*L😞
index=_internal
| head 10
| eval "my field"=if(isnull("my field"), "some value", 'my field')
| table _time host "my field"
Due to feedback from slack this behaviour is only showing in 6.5.2. Not in 6.5.1 nor in 6.4.2.
Can you try these
index=_internal | head 10 | table _time host "my field"
| fillnull value="" *
or
index=_internal | head 10 | table _time host "my field"
| foreach * [eval "<<FIELD>>"=coalesce('<<FIELD>>',"")]
Hey,
thanks for the feedback.
the first one results in two an additional column named *
, which does not disappear if sorted. my field
does disappear though
the second one results in a table where my field
still disappears
hi bjoernjensen,
did you tried to assign a zero value when "my field" is null inserting something like this before your table command?
| eval "my field" = if(isnull("my field"),0,"my field")
bye.
Giuseppe
Hey Giuseppe,
I certainly could fix each field (table column) with this odd behaviour using fillnull value="" <FIELD_1> <FIELD_2> ... <FIELD_n>
. But I need something more universal. Like the default behaviour of fillnull
:
field-list
Description: ... If not specified, fillnull is applied to all fields.
source: https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Fillnull
Do I have to file a bug here?
Probably.
Open a case on Partner Portal, this Will be useful For all splunkers.
Bye.
Giuseppe