Splunk IT Service Intelligence

ITSI distinct count KPI: 0 vs. NULL values?

curtismcginity
Explorer

I have simple KPI giving a distinct count of a USER_ID field. Assume USER_ID exists for 100% of logged events. Within ITSI, the KPI is configured to "fill gaps in data" with NULL values and an Unknown threshold level.

During a time when no events were logged, the KPI maintained a 0 value (not the NULL value). Is this a bug, or some kind of expected behavior? Any suggestions on a workaround?

RickvdIJ
Explorer

Hi,

If you do a (distinct)count of something and there are no matching events, the result is 0.
This is expected behavior imho.

The resulting search is: | stats dc(USER_ID).

Perhaps you can create a counter field, where the result of an existing field is 0 or more. And without events this field will not be there?
eval counterfield=if(USER_ID=="",1,0)

curtismcginity
Explorer

If you do a (distinct)count of something and there are no matching events, the result is 0.
This is expected behavior imho.

Actually there's a very important distinction to make here. Suppose I ask you, "How many balls are inside the box in the next room?" Consider two scenarios:

  1. You walk into the next room, see the box, look inside, and see nothing. 
  2. You walk into the next room and see nothing. No box, no balls; nothing.

These are clearly not the same scenario, and so I would expect different behavior imho. Intuitively, a human would likely respond along the lines of

  1. "Zero!"
  2. "Uhm... there is no box!"

The fundamental issue is that any feasible response to a question implicitly validates the premise(s) of the question. In case 2, we need Splunk to return a result indicating our premise is false. Indeed, the "null value" config exists, at least in part, to make this distinction... assuming it works 😉

logankinman99
Path Finder

I have the exact opposite problem (but the same).
I have it set to show custom value 0 but it just shows Null.

0 Karma

RickvdIJ
Explorer

I have the same issue. I want to continue with the latest available value but the result is 0. If you run, investigate and expand the generated search you see ITSI is performing a: | stats dc(USER_ID) and with a macro it stores the result in a cache.

Statistically, a result of no occurences will result in the value 0.
I'm trying with streamstats, latest/earliest and such but no luck yet.

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@curtismcginity - I think if you set that to NULL value it shows the discontinued chart.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...