Splunk Search

FillNull In Timechart

IRHM73
Motivator

Hi, I'm wondering whether someone may be able to help me please.

I'm using the following to extract metrics for a number of dimension values:

`wso2_wmf(RequestCompleted)` 
request.detail.Context="levy" OR
request.detail.Context="rates-list" OR
request.detail.Context="emp" OR
request.detail.Context="identity-verification" 
| fields request.detail.Context
| timechart span=1d limit=100 count by request.detail.Context
| fillnull value=0 request.detail.Contex

The problem I have is around the zero values and the 'fillnull'. It basically doesn't work.

I've tried shifting the position of the row within the query. I've then tried using usenull=t usestr=0 in the timechart line, but none of this works.

I just wondered whether someone may be able to point out where I've gone wrong?

Many thanks and kind regards

Chris

0 Karma
1 Solution

IRHM73
Motivator

All,

Thank you for your time and trouble.

I found the solution here: https://answers.splunk.com/answers/523189/how-to-use-timechart-count-to-return-0-when-value.html

Have a good day.

Kind Regards

Chris

View solution in original post

0 Karma

IRHM73
Motivator

All,

Thank you for your time and trouble.

I found the solution here: https://answers.splunk.com/answers/523189/how-to-use-timechart-count-to-return-0-when-value.html

Have a good day.

Kind Regards

Chris

0 Karma

woodcock
Esteemed Legend

You are not making sense. You search says to get only events that HAVE A VALUE for field request.detail.Context (and furthermore that the value must be in this set: levy OR rates-list OR emp OR identity-verification ). Given this, it is IMPOSSIBLE to have a results set with any non-null value for request.detail.Context. So lets back up. Show a minimalist sample dataset. Show us the results that you are getting right now for your search, and mockup your desired result, pointing out the difference between the last two. As written right now, it is impossible for anyone to give you an answer.

0 Karma

IRHM73
Motivator

@woodcock the issue seems to be around the span.

If I set my date range to 2, 3, or even 4 days, then I'm retrieving the zero metric columns. However when I set the date range to say 'yesterday' that is when the issue occurs.

Kind Regards

Chris

0 Karma

woodcock
Esteemed Legend

It is still unclear what the "issue" is. It would be crystal clear if you exemplified it as I suggested.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Try this

`wso2_wmf(RequestCompleted)` 
 request.detail.Context="levy" OR
 request.detail.Context="rates-list" OR
 request.detail.Context="emp" OR
 request.detail.Context="identity-verification" 
 | fields request.detail.Context
 | timechart span=1d limit=100 count by request.detail.Context
| eval request.detail.Context=if(request.detail.Context="",0,'request.detail.Context')
0 Karma

IRHM73
Motivator

Hi @skoelpin, thank you for taking the time to come back to me with this, but unfortunately it doesn't return any of the zero values.

Many thanks and kind regards

Chris

0 Karma

skoelpin
SplunkTrust
SplunkTrust

I'm thinking it could be due to the fieldname. Try this to test it out

| timechart span=1d limit=100 count by request.detail.Context
| rename "request.detail.Context" AS Request
 | eval Request=if(Request="",0,'Request')
0 Karma

IRHM73
Motivator

Hi thank you for coming back to me.

Unfortunately this doesn't make any difference to the figures returned.

Many thanks and regards

Chris

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...