Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can stats latest(X) return a null value?

thunder_wu
Path Finder
‎01-21-2016 11:53 AM

X Y

a 1
b 1
null 1

<search> | stats latest(X) by Y

will return "b" as result, is it possible to have it return null as result?

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MattZerfas
Communicator
‎01-21-2016 12:27 PM

You could do a |fillnull before your stats so that way the null value actually has a value then when stats runs it can populate it correctly.

.... | fillnull X value="NULL" | stats  latest(X) by Y

View solution in original post

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎01-21-2016 12:51 PM

Yes, as @somesoni2 pointed out. If your running your search against time then you will have null results. Are you trying to exclude the null values from your results?

Reply
Solved! Jump to solution

thunder_wu
Path Finder
‎01-21-2016 01:03 PM

I'm actually trying to include instead of exclude the null values from my result.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-21-2016 12:46 PM

The latest functions based on _time so yes it could be possible to have a latest value as null. Run the query in verbose mode and check if the latest event with your criteria indeed has null value for that field.

Reply
Solved! Jump to solution
Solution

MattZerfas
Communicator
‎01-21-2016 12:27 PM

You could do a |fillnull before your stats so that way the null value actually has a value then when stats runs it can populate it correctly.

.... | fillnull X value="NULL" | stats  latest(X) by Y
Reply
Solved! Jump to solution

thunder_wu
Path Finder
‎01-21-2016 01:02 PM

Thanks MattZerfas. Your answer is working for me.

I do have a large set of events before | stats though. Anyone know if there should be any concern on the cost or performance if there are thousands or millions events to convert the null value?

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎01-21-2016 01:07 PM

Large can be a relative term in Splunk.. There could definitely be a performance issue if you're doing > 10 million +. If you see an impact on performance then you may want to consider optimizing your query or setting up a summary index (This is needed on rare occasions when the data is massive)

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...