Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Displaying Blank Using Data Models

robertlynch2020
Influencer
‎03-30-2017 06:02 AM

Hi

I have data that looks like below, as you can see some parts have blanks.

  Date  |    Time    | UserName |iD     |           Context            |           Command            
20161209|17:28:55.238|MUREXFO   |     1 |LOGIN                         |SPBActUserLogin              
20161209|17:29:02.456|MUREXFO   |     1 |                              |Login                       
20161209|17:29:28.555|MUREXFO   |     2 |Report Selection              |                            
20161209|17:29:32.344|MUREXFO   |     3 |Report Selection NAME         |&Open                     
20161209|17:29:33.404|MUREXFO   |     4 |Creation INFO                 |&Open                    
20161209|17:29:35.966|MUREXFO   |     5 |ADT_OBJDSP                    |                         
20161209|17:29:38.907|MUREXFO   |     6 |Scenario details              |Open

I am able to work whit these with a normal Query, however when i use Data Models i cant.

Below Query works as i can replace blank with NULL and that is fine - I get 10 entries and it displays NULL

index=mlc_log_drop host="mxtiming_qc3"  source="/net/dell425srv/dell425srv/apps/SPLUNK_FILES/MXTIMING_QC3/Resources/logs/MXTIMING/mxtiming_small.log" | fillnull value=NULL |dedup Context |table Context

However i cant seem to do this with DataModels, I only get 9 entries as NULL is not displayed. I am not sure how to add this at the DataModel level.

| tstats count(MXTIMING.CPU) AS count FROM datamodel=MXTIMING where  source="/net/dell425srv/dell425srv/apps/SPLUNK_FILES/MXTIMING_QC3/Resources/logs/MXTIMING/mxtiming_small.log" groupby MXTIMING.Context

We can see in the image i get 9 results in the tstats and 10 in the normal with NULL
alt text

alt text

Preview file
31 KB
Preview file
32 KB
Reply

DavidHourani
Super Champion
‎09-25-2024 01:57 AM

I think you're lookin for fillnull_value 
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/tstats#Optional_arguments

0 Karma
Reply

Masa
Splunk Employee
Splunk Employee
‎04-03-2017 10:52 AM

tstats groupby is similar to "stats split-by". So, if by field is null, you cannot populate result for null field.
So, you need to find a field or combination of fields for groupby.

I'm not sure if the following search works in your case...but, here is a tstats search example.

| tstats values(MXTIMING.Context) as Context 
         FROM datamodel=MXTIMING 
         where source="*/mxtiming_small.log" 
         groupby MXTIMING.Date MXTIMING.Time MXTIMING.UserName 
         prestats=t
| fillnull value=NULL 
| stats count by Context
0 Karma
Reply

robertlynch2020
Influencer
‎04-04-2017 06:41 AM

Thanks for this.

I put this in but the performance was a bit slow over Millions of lines as i was doing a lot of calculations after the datamodel.

In fact you gave me a great idea.

Soooooo. I changed the datamodel to have Context=if(isnull(Context),"NULL",Context). This worked great as now it has NULL at the datamodel level and i can now get all the data i need with the original query.

Reply

Masa
Splunk Employee
Splunk Employee
‎04-05-2017 02:37 PM

glad to hear that you found a good solution.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...