Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Appendpipe alters field values when not null

ebs
Communicator
‎06-30-2021 09:07 PM

Hi,

I'm inserting an appendpipe into my SPL so that in the event there are no results, a stats table will still be produced.

However, I am seeing differences in the field values when they are not null. Can anyone explain why this is occurring and how to fix this?

 

Labels (6)
Preview file
89 KB
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-01-2021 11:18 PM

@ebs 

Well if you want to display the Tier for which the events are not available OR has no count, I think append pipe or append column will not help you.

But as you are doing  transpose and fields in you further searches I would like to suggest you below search.

YOUR_DATAMODEL_SEARCH 
| stats count as averageResponse by Tier
| eval averageResponse=round(averageResponse,3)
| transpose 0 header_field="Tier"
| eval _time=now()
| fields unaithenticated,highPriority,lowPrioriy,unattended,largePayload _time
| fillnull value=0.000 unaithenticated,highPriority,lowPrioriy,unattended,largePayload

 

My Sample Search :

| makeresults | eval Tier="unaithenticated,highPriority,lowPrioriy",Tier=split(Tier,",") | stats count as averageResponse by Tier
| eval averageResponse=round(averageResponse,3)
| transpose 0 header_field="Tier"
| eval _time=now()
| fields unaithenticated,highPriority,lowPrioriy,unattended,largePayload _time
| fillnull value=0.000 unaithenticated,highPriority,lowPrioriy,unattended,largePayload

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-01-2021 12:06 AM

@ebs 

have you tried appendcols ?

0 Karma
Reply

ebs
Communicator
‎07-01-2021 03:35 PM

Using appendcols, there are still differences

lowPriority, unattended, and largePayload still differ from the values when not using an appendcol/appendpipe

0 Karma
Reply

ebs
Communicator
‎07-01-2021 03:36 PM
 
Preview file
85 KB
0 Karma
Reply

ebs
Communicator
‎06-30-2021 09:08 PM

SPL results when there is no appendpipe

Preview file
78 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...