Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Replacing blank values with "0"

leandromatperei
Path Finder
‎11-03-2020 09:31 AM

Hi,

I'm trying to replace the blank values ​​in my query with 0s. If the Extension has no record in the log, it must appear zero in the count. I tried with filnull but I was not successful, another thing is that I would like to always order in a descending way how could I do?

 

| inputlookup ramais.csv | fields - Site
| join type=left Ramal
[search index=raw_ramais
    | rex field=_raw "EXTENSION:(?<Ramal>\+?\d+)"
    | stats count by Ramal
]

 

Result:

Ramalcount
1111111 
222222265
3333333 
4444444 
5555555 
666666636
Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-03-2020 09:51 AM

You say you've tried fillnull, but I don't see it in your query.  If this doesn't work

| inputlookup ramais.csv | fields - Site
| join type=left Ramal
[search index=raw_ramais
    | rex field=_raw "EXTENSION:(?<Ramal>\+?\d+)"
    | stats count by Ramal
]
| fillnull value=0 count

then please try this query

| inputlookup ramais.csv | fields - Site
| eval count = 0
| join type=left Ramal
[search index=raw_ramais
    | rex field=_raw "EXTENSION:(?<Ramal>\+?\d+)"
    | stats count by Ramal
]

 To order the results by count, use the sort command.

| inputlookup ramais.csv | fields - Site
| eval count = 0
| join type=left Ramal
[search index=raw_ramais
    | rex field=_raw "EXTENSION:(?<Ramal>\+?\d+)"
    | stats count by Ramal
]
| sort - count

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-03-2020 09:51 AM

You say you've tried fillnull, but I don't see it in your query.  If this doesn't work

| inputlookup ramais.csv | fields - Site
| join type=left Ramal
[search index=raw_ramais
    | rex field=_raw "EXTENSION:(?<Ramal>\+?\d+)"
    | stats count by Ramal
]
| fillnull value=0 count

then please try this query

| inputlookup ramais.csv | fields - Site
| eval count = 0
| join type=left Ramal
[search index=raw_ramais
    | rex field=_raw "EXTENSION:(?<Ramal>\+?\d+)"
    | stats count by Ramal
]

 To order the results by count, use the sort command.

| inputlookup ramais.csv | fields - Site
| eval count = 0
| join type=left Ramal
[search index=raw_ramais
    | rex field=_raw "EXTENSION:(?<Ramal>\+?\d+)"
    | stats count by Ramal
]
| sort - count

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...