Solved: Re: Can one generate a report with a "N/A" entry i...

Gawker · ‎04-13-2018

I can generate an incident report by server that looks like this:

Host_Name Event_Count
myhost-01 11
myhost-02 2

If there isn't any data for the observation period, I want to generate something like this:

Host_Name Event_Count
n/a 0

I've tried using several eval and fillnull statements to get past this. Example:

       ...| stats sum(linecount) as Total_Events BY host | fillnull host value="N/A"

Thank you.

somesoni2 · ‎04-13-2018

Try like this

...| stats sum(linecount) as Total_Events BY host | appendpipe [| stats count | where count=0 | rename count as Total_Events | eval host="N/A" | table host Total_Events]

View solution in original post

somesoni2 · ‎04-13-2018

Try like this

...| stats sum(linecount) as Total_Events BY host | appendpipe [| stats count | where count=0 | rename count as Total_Events | eval host="N/A" | table host Total_Events]

Gawker · ‎04-16-2018

Works great. Thank you for the solution and insight.

Can one generate a report with a "N/A" entry if no data found, but with real data if present

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!