Splunk IT Service Intelligence

ITSI distinct count KPI: 0 vs. NULL values?

I have simple KPI giving a distinct count of a USERID field. Assume USERID exists for 100% of logged events. Within ITSI, the KPI is configured to "fill gaps in data" with NULL values and an Unknown threshold level.

During a time when no events were logged, the KPI maintained a 0 value (not the NULL value). Is this a bug, or some kind of expected behavior? Any suggestions on a workaround?

Engager

Hi,

If you do a (distinct)count of something and there are no matching events, the result is 0.
This is expected behavior imho.

The resulting search is: | stats dc(USER_ID).

Perhaps you can create a counter field, where the result of an existing field is 0 or more. And without events this field will not be there?
eval counterfield=if(USER_ID=="",1,0)

0 Karma

Path Finder

I have the exact opposite problem (but the same).
I have it set to show custom value 0 but it just shows Null.

0 Karma

Engager

I have the same issue. I want to continue with the latest available value but the result is 0. If you run, investigate and expand the generated search you see ITSI is performing a: | stats dc(USER_ID) and with a macro it stores the result in a cache.

Statistically, a result of no occurences will result in the value 0.
I'm trying with streamstats, latest/earliest and such but no luck yet.

0 Karma

Motivator

@curtismcginity - I think if you set that to NULL value it shows the discontinued chart.

0 Karma