Reporting

Reporting on "Other"

a212830
Champion

Hi,

I am doing a search to report on some eventtypes. The eventtypes report fine, but I also want to put anything that isn't categorized as an eventtype into "other" in the table. Is there a way to do this? s

Tags (2)
0 Karma
1 Solution

sowings
Splunk Employee
Splunk Employee

| where isnull(eventtype) ?

View solution in original post

0 Karma

sowings
Splunk Employee
Splunk Employee

| where isnull(eventtype) ?

View solution in original post

0 Karma

a212830
Champion

Awesome. Thanks. Just took the second reporting class and things are slowly clicking...

0 Karma

sowings
Splunk Employee
Splunk Employee

Sorry, I thought you wanted to search expressly for items which did not have an assigned eventtype. I suggest yannK's answer above.

0 Karma

yannK
Splunk Employee
Splunk Employee

source="/var/opt/trapx/log/traps-all.log" | eval eventtype=if(isnull(eventtype),"null",eventtype) | fields eventtype, host |chart count by eventtype, host |addcoltotals | addtotals fieldname=Totals

if the events have no eventtype, then the field will be created and populated with "null"

a212830
Champion

lost me on that - what is it doing?

My search is:
source="/var/opt/trapx/log/traps-all.log" | fields eventtype, host |chart count by eventtype, host |addcoltotals | addtotals fieldname=Totals

Which works fine, but ignores "non-eventtypes". I want to include totals for these in my chart.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.