Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

FillNull Not Working for all aspects of the search

agrant21
Loves-to-Learn
‎03-22-2024 11:48 AM

I am having trouble with my search. I am finding groups and my groups are broken down into organization, unit, and subunit. The tokens are being passed in for each respective part of the group. 

example:

Group1: apple.banana.orange

Group2: apple. banana.grape

Group3: melon.berry

index | search organization = $org$ | search unit = $unit$ | search subunit = $subunit$ | eval group = organization."."unit."."subunit

This would output apple.bananan.orange and apple.banana.grape, but would not show anything for melon.berry

Sometimes I have groups that do not have subunits. When I tried to add the fillnulll:

index | search organization = $org$ | search unit = $unit$ | fillnull value="" $subunit$ | eval group =if(isnotnull($subunit$), organization."."unit."."subunit, "organization.".".unit)


That worked for groups with no subunit, but then the groups that did have subunits it did not work. This would output melon.berry, but it would output all the events for apple.banana. It wouldn't do the search specifically for orange or grape. 

I am trying to have my search handle when a subunit token is passed and it is blank, what to do with it to output the correct values. 

 

Labels (2)
Labels
0 Karma
Reply

marnall
Motivator
‎03-22-2024 01:10 PM

One thing you could do is put the search filter into the token, so that if the $subunit_search$ token is empty, it won't interfere with the search:
 

index=<index> organization="$org$" unit="$unit$" $subunit_search$

 

Set your inputs so that it sets $subunit_search$ to equal "subunit=<subunit_name>" or default to "" (empty string)

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...