Solved: Re: Counting values

mkrauss1 · ‎02-12-2013

Hi,
i have a key value pair say FTYPE=VAL1 and FTYPE=VAL2 and create a timechart with

earliest=-1d@d latest=now | timechart
count(eval(FTYPE=VAL1)) as TYPE1, count(eval(FTYPE="VAL2")) as TYPE2

All for sudden i notice that the expected numbers are wrong because some of the FTYPE values are blank like FTYPE=

How can i create the timechart where blank FTYPE values are treated as VAL1? I tried something like
count(eval(FTYPE=VAL1 OR FTYPE="")) as TYPE1

somehow that doesn't work either.

Any ideas? Many thanks ...

jonuwz · ‎02-12-2013

You test for null like this : isnull(field)
So your search would be :

FTYPE=VAL1 OR isnull(FTYPE)

or, you could jsut do this beforehand :

... | eval FTYPE=if(isnull(FTYPE),"VAL1",FTYPE) | ...

jonuwz · ‎02-12-2013

You test for null like this : isnull(field)
So your search would be :

FTYPE=VAL1 OR isnull(FTYPE)

or, you could jsut do this beforehand :

... | eval FTYPE=if(isnull(FTYPE),"VAL1",FTYPE) | ...

Counting values