Splunk Enterprise

Replacing blank values with "0"

leandromatperei
Path Finder

Hi,

I'm trying to replace the blank values ​​in my query with 0s. If the Extension has no record in the log, it must appear zero in the count. I tried with filnull but I was not successful, another thing is that I would like to always order in a descending way how could I do?

 

| inputlookup ramais.csv | fields - Site
| join type=left Ramal
[search index=raw_ramais
    | rex field=_raw "EXTENSION:(?<Ramal>\+?\d+)"
    | stats count by Ramal
]

 

Result:

Ramalcount
1111111 
222222265
3333333 
4444444 
5555555 
666666636
Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

You say you've tried fillnull, but I don't see it in your query.  If this doesn't work

| inputlookup ramais.csv | fields - Site
| join type=left Ramal
[search index=raw_ramais
    | rex field=_raw "EXTENSION:(?<Ramal>\+?\d+)"
    | stats count by Ramal
]
| fillnull value=0 count

then please try this query

| inputlookup ramais.csv | fields - Site
| eval count = 0
| join type=left Ramal
[search index=raw_ramais
    | rex field=_raw "EXTENSION:(?<Ramal>\+?\d+)"
    | stats count by Ramal
]

 To order the results by count, use the sort command.

| inputlookup ramais.csv | fields - Site
| eval count = 0
| join type=left Ramal
[search index=raw_ramais
    | rex field=_raw "EXTENSION:(?<Ramal>\+?\d+)"
    | stats count by Ramal
]
| sort - count

 

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You say you've tried fillnull, but I don't see it in your query.  If this doesn't work

| inputlookup ramais.csv | fields - Site
| join type=left Ramal
[search index=raw_ramais
    | rex field=_raw "EXTENSION:(?<Ramal>\+?\d+)"
    | stats count by Ramal
]
| fillnull value=0 count

then please try this query

| inputlookup ramais.csv | fields - Site
| eval count = 0
| join type=left Ramal
[search index=raw_ramais
    | rex field=_raw "EXTENSION:(?<Ramal>\+?\d+)"
    | stats count by Ramal
]

 To order the results by count, use the sort command.

| inputlookup ramais.csv | fields - Site
| eval count = 0
| join type=left Ramal
[search index=raw_ramais
    | rex field=_raw "EXTENSION:(?<Ramal>\+?\d+)"
    | stats count by Ramal
]
| sort - count

 

---
If this reply helps you, an upvote would be appreciated.
0 Karma