Splunk IT Service Intelligence

ITSI distinct count KPI: 0 vs. NULL values?

curtismcginity
Explorer

I have simple KPI giving a distinct count of a USER_ID field. Assume USER_ID exists for 100% of logged events. Within ITSI, the KPI is configured to "fill gaps in data" with NULL values and an Unknown threshold level.

During a time when no events were logged, the KPI maintained a 0 value (not the NULL value). Is this a bug, or some kind of expected behavior? Any suggestions on a workaround?

RickvdIJ
Explorer

Hi,

If you do a (distinct)count of something and there are no matching events, the result is 0.
This is expected behavior imho.

The resulting search is: | stats dc(USER_ID).

Perhaps you can create a counter field, where the result of an existing field is 0 or more. And without events this field will not be there?
eval counterfield=if(USER_ID=="",1,0)

curtismcginity
Explorer

If you do a (distinct)count of something and there are no matching events, the result is 0.
This is expected behavior imho.

Actually there's a very important distinction to make here. Suppose I ask you, "How many balls are inside the box in the next room?" Consider two scenarios:

  1. You walk into the next room, see the box, look inside, and see nothing. 
  2. You walk into the next room and see nothing. No box, no balls; nothing.

These are clearly not the same scenario, and so I would expect different behavior imho. Intuitively, a human would likely respond along the lines of

  1. "Zero!"
  2. "Uhm... there is no box!"

The fundamental issue is that any feasible response to a question implicitly validates the premise(s) of the question. In case 2, we need Splunk to return a result indicating our premise is false. Indeed, the "null value" config exists, at least in part, to make this distinction... assuming it works 😉

logankinman99
Path Finder

I have the exact opposite problem (but the same).
I have it set to show custom value 0 but it just shows Null.

0 Karma

RickvdIJ
Explorer

I have the same issue. I want to continue with the latest available value but the result is 0. If you run, investigate and expand the generated search you see ITSI is performing a: | stats dc(USER_ID) and with a macro it stores the result in a cache.

Statistically, a result of no occurences will result in the value 0.
I'm trying with streamstats, latest/earliest and such but no luck yet.

0 Karma

VatsalJagani
Super Champion

@curtismcginity - I think if you set that to NULL value it shows the discontinued chart.

0 Karma
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...