I have seen two other related questions but neither of the answers have worked for me.
Events with a controller_node and an execution_node (controller node is blank if run locally on execution_node).
id, controller_node, execution_node
Trying "...|eval controller_node=coalesce(controller_node, execution_node|stats count by controller_node" should return:
However, I am only getting:
I don't think the eval is working as expected. I also tried to do "...|fillnull value=execution_node controller_node" to no avail.
What is the correct way to evaluate if controller_node is null on each event and set the null value to the value of execution_node unique to each event?
Interesting. I would have thought the coalesce should work.
I could reproduce it though, I think controller_node is actually not null, but just empty for you. As workaround, you could use len() on controller_node.
| makeresults | eval input="1,a,b;2,,a;3,,a;4,,b;5,,b;6,,b;7,b,a;8,,a" | makemv delim=";" input | mvexpand input | rex field=input "(?<id>[^,]+),(?<controller_node>[^,]*),(?<execution_node>.+)" | eval controller_node=if(len(controller_node)>0,controller_node,execution_node)
View solution in original post
This works for me:
| eval _raw="id,controller_node,execution_node
| multikv forceheader=1
| fields id controller_node execution_node
| eval controller_node=coalesce(controller_node, execution_node)
| stats count by controller_node
I get this:
Yes, you need the filldown command: