Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I fill my null field from a subsearch?

jsven7
Communicator
‎06-16-2022 03:25 PM

Situation:

  • The data I need resides in the below:

 

 

index=X (sourcetypeA=X fieldA=X) OR (sourcetypeB=X fieldB=X)
| rename fieldA as fieldB
| stats count by fieldC, fieldD, fieldE, fieldB

 

 

Problem:

  • "fieldD" only has a value when I modify the search as such:

 

 

index=X (sourcetypeA=X NOT fieldA=X) OR (sourcetypeB=X NOT fieldB=X)
| rename fieldA as fieldB
| stats count by fieldC, fieldD, fieldE, fieldB

 

 

--------------------------------------

Based on my research I presume I am 100% incorrect but I've been trying to use join with no success. I suspect the answer is to use a subsearch however I can't figure out how to construct it so that I can always get a value for "fieldD". Any help would be greatly appreciated.

Labels (1)
Labels
Tags (3)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-16-2022 08:22 PM 
| fillnull value="N/A" fieldD
0 Karma
Reply

jsven7
Communicator
‎06-17-2022 04:20 AM 
index=X (sourcetypeA=X NOT fieldA=X) OR (sourcetypeB=X NOT fieldB=X)

Apologies I failed to mention that I actually need to retrieve the value of "field D" from the above search so that its displayed in the below search:

index=X (sourcetypeA=X fieldA=X) OR (sourcetypeB=X fieldB=X)
| rename fieldA as fieldB
| stats count by fieldC, fieldD, fieldE, fieldB
Tags (2)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-17-2022 04:24 AM 
| stats count values(fieldD) as fieldD by fieldC, fieldE, fieldB
0 Karma
Reply

jsven7
Communicator
‎06-17-2022 11:13 AM

Thank you for your assistance. That did not work. Here is the join example I attempted. It might give a better idea at the problem I'm facing:

 

index=X
``` Dataset 1. When fieldA has a value fieldD is missing. ```
(sourcetype=sourcetypeA fieldA=X) OR 

``` Dataset 2. When fieldA has a value fieldD is missing.  ```
(sourcetype=sourcetypeB fieldB=X)

| rename fieldA as fieldB

| fillnull value="N/A" fieldD

``` This is the only way I presume I can append fieldD to my dataset. fieldD is only available when fieldA and fieldB above don't have values. ```
| join type=left fieldC [search index=X sourcetype IN (sourcetypeA,sourcetypeB) fieldD="*"]

| stats count by fieldA, fieldC, fieldD, fieldE, fieldB

 

Problem: fieldD="N/A"

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-18-2022 12:04 AM

Depending on your actual events, try something like this

index=X (sourcetype=sourcetypeA OR sourcetype=sourcetypeB)

| eval fieldB = coalesce(fieldB, fieldA)

| eventstats values(fieldD) as fieldD by fieldC

| where fieldA=X OR fieldB=X

| stats count by fieldA, fieldC, fieldD, fieldE, fieldB

 

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...