Solved: FillNull In Timechart

IRHM73 · ‎04-22-2018

Hi, I'm wondering whether someone may be able to help me please.

I'm using the following to extract metrics for a number of dimension values:

`wso2_wmf(RequestCompleted)` 
request.detail.Context="levy" OR
request.detail.Context="rates-list" OR
request.detail.Context="emp" OR
request.detail.Context="identity-verification" 
| fields request.detail.Context
| timechart span=1d limit=100 count by request.detail.Context
| fillnull value=0 request.detail.Contex

The problem I have is around the zero values and the 'fillnull'. It basically doesn't work.

I've tried shifting the position of the row within the query. I've then tried using usenull=t usestr=0 in the timechart line, but none of this works.

I just wondered whether someone may be able to point out where I've gone wrong?

Many thanks and kind regards

Chris

IRHM73 · ‎04-22-2018

All,

Thank you for your time and trouble.

I found the solution here: https://answers.splunk.com/answers/523189/how-to-use-timechart-count-to-return-0-when-value.html

Have a good day.

Kind Regards

Chris

View solution in original post

IRHM73 · ‎04-22-2018

All,

Thank you for your time and trouble.

I found the solution here: https://answers.splunk.com/answers/523189/how-to-use-timechart-count-to-return-0-when-value.html

Have a good day.

Kind Regards

Chris

woodcock · ‎04-22-2018

You are not making sense. You search says to get only events that HAVE A VALUE for field request.detail.Context (and furthermore that the value must be in this set: levy OR rates-list OR emp OR identity-verification ). Given this, it is IMPOSSIBLE to have a results set with any non-null value for request.detail.Context. So lets back up. Show a minimalist sample dataset. Show us the results that you are getting right now for your search, and mockup your desired result, pointing out the difference between the last two. As written right now, it is impossible for anyone to give you an answer.

IRHM73 · ‎04-22-2018

@woodcock the issue seems to be around the span.

If I set my date range to 2, 3, or even 4 days, then I'm retrieving the zero metric columns. However when I set the date range to say 'yesterday' that is when the issue occurs.

Kind Regards

Chris

woodcock · ‎04-22-2018

It is still unclear what the "issue" is. It would be crystal clear if you exemplified it as I suggested.

skoelpin · ‎04-22-2018

Try this

`wso2_wmf(RequestCompleted)` 
 request.detail.Context="levy" OR
 request.detail.Context="rates-list" OR
 request.detail.Context="emp" OR
 request.detail.Context="identity-verification" 
 | fields request.detail.Context
 | timechart span=1d limit=100 count by request.detail.Context
| eval request.detail.Context=if(request.detail.Context="",0,'request.detail.Context')

IRHM73 · ‎04-22-2018

Hi @skoelpin, thank you for taking the time to come back to me with this, but unfortunately it doesn't return any of the zero values.

Many thanks and kind regards

Chris

skoelpin · ‎04-22-2018

I'm thinking it could be due to the fieldname. Try this to test it out

| timechart span=1d limit=100 count by request.detail.Context
| rename "request.detail.Context" AS Request
 | eval Request=if(Request="",0,'Request')

IRHM73 · ‎04-22-2018

Hi thank you for coming back to me.

Unfortunately this doesn't make any difference to the figures returned.

Many thanks and regards

Chris

FillNull In Timechart

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...