Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Input filter returning null values

vitorvmiguel
Explorer
‎06-08-2015 06:38 AM

Hi folks,

I'm building a dashboard with several multiple inputs, and i'm facing a trouble while filtering a field named "mensagem", because i want to display de null values, but when i use fillnull it generates a conflict between the search of the field "mensagem" and the fillnull command.
The querie i'm using below.

index="raw_internet" tipo="$tipo$" AND programa="$prgr$" AND codigo="$cder$" AND mensagem="$msgm$" AND servidor="$srvd$" AND codigoAcesso="$cdac$"| fillnull mensagem value="Nenhuma" | table _time, tipo, programa, mensagem, codigo, servidor

There's anyone there that can help me?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-08-2015 08:25 AM

I do not believe that what you are describing can be true. I suspect the values are actually whitespace because it really doesn't make sense otherwise. If your search uses (and it does) AND mensagem="$msgm$", then there is NOTHING that can be passed in for token msgm that will allow events that do not have a value for field mensagem (i.e. "many [events with] null values") to return from the search because implied in that clause is the stipulation that field mensagem exists and has a value that is not NULL. You absolutely must be misinterpreting your search results.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-08-2015 08:25 AM

I do not believe that what you are describing can be true. I suspect the values are actually whitespace because it really doesn't make sense otherwise. If your search uses (and it does) AND mensagem="$msgm$", then there is NOTHING that can be passed in for token msgm that will allow events that do not have a value for field mensagem (i.e. "many [events with] null values") to return from the search because implied in that clause is the stipulation that field mensagem exists and has a value that is not NULL. You absolutely must be misinterpreting your search results.

0 Karma
Reply
Solved! Jump to solution

vitorvmiguel
Explorer
‎06-08-2015 08:56 AM

So, if the values are whitespace how can i do the same thing? Instead of Null is whitespace? Can you send me one exemple? Sorry my english is far from perfect.

index="raw_internet" tipo="$tipo$" AND programa="$prgr$" AND codigo="$cder$" AND mensagem="$msgm$" AND servidor="$srvd$" AND codigoAcesso="$cdac$"| fillnull mensagem value="Nenhuma" | table _time, tipo, programa, mensagem, codigo, servidor

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-08-2015 09:31 AM

Assuming you are OK with the fact that your form, as it is written right now, will ALWAYS drop EVERY event that does not have a (non-NULL) value for each and every field that you are "filtering" (which I find VERY hard to believe), you can do it like this:

index="raw_internet" tipo="$tipo$" AND programa="$prgr$" AND codigo="$cder$" AND mensagem="$msgm$" AND servidor="$srvd$" AND codigoAcesso="$cdac$"| eval mensagem = if(match(mensagem, "^\s*$"), "Nenhuma", mensagem) | table _time, tipo, programa, mensagem, codigo, servidor

0 Karma
Reply
Solved! Jump to solution

vitorvmiguel
Explorer
‎06-08-2015 10:31 AM

Thanks woodcock, i must be misusing something.

0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
li.common.scroll-to.top