Splunk Search

FillNull In Timechart

IRHM73
Motivator

Hi, I'm wondering whether someone may be able to help me please.

I'm using the following to extract metrics for a number of dimension values:

`wso2_wmf(RequestCompleted)` 
request.detail.Context="levy" OR
request.detail.Context="rates-list" OR
request.detail.Context="emp" OR
request.detail.Context="identity-verification" 
| fields request.detail.Context
| timechart span=1d limit=100 count by request.detail.Context
| fillnull value=0 request.detail.Contex

The problem I have is around the zero values and the 'fillnull'. It basically doesn't work.

I've tried shifting the position of the row within the query. I've then tried using usenull=t usestr=0 in the timechart line, but none of this works.

I just wondered whether someone may be able to point out where I've gone wrong?

Many thanks and kind regards

Chris

0 Karma
1 Solution

IRHM73
Motivator

All,

Thank you for your time and trouble.

I found the solution here: https://answers.splunk.com/answers/523189/how-to-use-timechart-count-to-return-0-when-value.html

Have a good day.

Kind Regards

Chris

View solution in original post

0 Karma

IRHM73
Motivator

All,

Thank you for your time and trouble.

I found the solution here: https://answers.splunk.com/answers/523189/how-to-use-timechart-count-to-return-0-when-value.html

Have a good day.

Kind Regards

Chris

0 Karma

woodcock
Esteemed Legend

You are not making sense. You search says to get only events that HAVE A VALUE for field request.detail.Context (and furthermore that the value must be in this set: levy OR rates-list OR emp OR identity-verification ). Given this, it is IMPOSSIBLE to have a results set with any non-null value for request.detail.Context. So lets back up. Show a minimalist sample dataset. Show us the results that you are getting right now for your search, and mockup your desired result, pointing out the difference between the last two. As written right now, it is impossible for anyone to give you an answer.

0 Karma

IRHM73
Motivator

@woodcock the issue seems to be around the span.

If I set my date range to 2, 3, or even 4 days, then I'm retrieving the zero metric columns. However when I set the date range to say 'yesterday' that is when the issue occurs.

Kind Regards

Chris

0 Karma

woodcock
Esteemed Legend

It is still unclear what the "issue" is. It would be crystal clear if you exemplified it as I suggested.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Try this

`wso2_wmf(RequestCompleted)` 
 request.detail.Context="levy" OR
 request.detail.Context="rates-list" OR
 request.detail.Context="emp" OR
 request.detail.Context="identity-verification" 
 | fields request.detail.Context
 | timechart span=1d limit=100 count by request.detail.Context
| eval request.detail.Context=if(request.detail.Context="",0,'request.detail.Context')
0 Karma

IRHM73
Motivator

Hi @skoelpin, thank you for taking the time to come back to me with this, but unfortunately it doesn't return any of the zero values.

Many thanks and kind regards

Chris

0 Karma

skoelpin
SplunkTrust
SplunkTrust

I'm thinking it could be due to the fieldname. Try this to test it out

| timechart span=1d limit=100 count by request.detail.Context
| rename "request.detail.Context" AS Request
 | eval Request=if(Request="",0,'Request')
0 Karma

IRHM73
Motivator

Hi thank you for coming back to me.

Unfortunately this doesn't make any difference to the figures returned.

Many thanks and regards

Chris

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...