Splunk Search

Fill nulls based on previous value

arramack
Engager

I have events that contain the following data:

Time, Name, Value, Quality.

The Quality value can either be "Good" or "Bad", meaning the measurement was made or not. If Quality is "Bad", then the Value will be 0. Otherwise Value is a number (which can also be 0).

I am logging the data per second, but only if there is a data change. What I want is a search that always returns a value for every second, even if there is no event in that second.

If there is no event, then the event must be the same as the previous event logged.

I have tried to use

source="tcp:51112" | timechart span=1s Max(Value) by Tag | filldown

but that doesn't show me the Quality. I will also have many tags later on (up to 5000), so then I will have 5000 columns. I don't know if that is very efficient. This will be used for graphing 1-10 Tags at a time.

Tags (2)

Stevelim
Communicator

Hi Arramack,

How about

TagName= "Your Tag" Value=* | Eval Quality=if(Quality=="good", 192, 0) | timechart  span=1s sum(Value) as Value, sum(Quality) as Quality by TagName | filldown 

alt text

This will only work for one tag but if you couple with a input filed, you can have a dropdown for all 5000 to select them one by one. I am not exactly this is the best way to visualize for so many tags. What you can consider is having clones of the table, i.e. Clone 10 of this table for 10 Tags on your dashboard.

0 Karma

gyslainlatsa
Motivator

hi arramack,
try add this query eval QUALITY= if (quality="Bad",0,' ')in your query for the values of the quality

source="tcp:51112" | eval QUALITY= if (Quality="Bad",0,' ')  | timechart span=1s Max(Value) by Tag | filldown

arramack
Engager

After I run timechart my columns are _time, TagName1, TagName2, TagName3 etc..

Under the TagName I have the value for each timestamp.

That's the problem. Timechart completely screws up the table structure. There is no place to put the Quality component.

0 Karma

ngatchasandra
Builder

Hi arramack,
I think that , if your query doesn't show you the Quality, ist because with filldown command, If there were not any previous values for a field (in this case its Quality field), it will be left blank (NULL). I refer to Search Reference Manual. Follow the link that follow:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Filldown

0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...