- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can I fill a null value with another field's value...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have seen two other related questions but neither of the answers have worked for me.
Data:
Events with a controller_node and an execution_node (controller node is blank if run locally on execution_node).
id, controller_node, execution_node
1,a,b
2,,a
3,,a
4,,b
5,,b
6,,b
7,b,a
8,,a
Trying "...|eval controller_node=coalesce(controller_node, execution_node|stats count by controller_node" should return:
a: 4
b:4
However, I am only getting:
a:1
b:1
NULL:6
I don't think the eval is working as expected. I also tried to do "...|fillnull value=execution_node controller_node" to no avail.
What is the correct way to evaluate if controller_node is null on each event and set the null value to the value of execution_node unique to each event?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interesting. I would have thought the coalesce should work.
I could reproduce it though, I think controller_node is actually not null, but just empty for you. As workaround, you could use len() on controller_node.
My test:
| makeresults | eval input="1,a,b;2,,a;3,,a;4,,b;5,,b;6,,b;7,b,a;8,,a" | makemv delim=";" input | mvexpand input | rex field=input "(?<id>[^,]+),(?<controller_node>[^,]*),(?<execution_node>.+)" | eval controller_node=if(len(controller_node)>0,controller_node,execution_node)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works for me:
| makeresults
| eval _raw="id,controller_node,execution_node
1,a,b
2,,a
3,,a
4,,b
5,,b
6,,b
7,b,a
8,,a"
| multikv forceheader=1
| fields id controller_node execution_node
| eval controller_node=coalesce(controller_node, execution_node)
| stats count by controller_node
I get this:
controller_node count
a 4
b 4
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interesting. I would have thought the coalesce should work.
I could reproduce it though, I think controller_node is actually not null, but just empty for you. As workaround, you could use len() on controller_node.
My test:
| makeresults | eval input="1,a,b;2,,a;3,,a;4,,b;5,,b;6,,b;7,b,a;8,,a" | makemv delim=";" input | mvexpand input | rex field=input "(?<id>[^,]+),(?<controller_node>[^,]*),(?<execution_node>.+)" | eval controller_node=if(len(controller_node)>0,controller_node,execution_node)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you need the filldown command:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Filldown
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
