Splunk Search
Highlighted

FillNull In Timechart

Motivator

Hi, I'm wondering whether someone may be able to help me please.

I'm using the following to extract metrics for a number of dimension values:

`wso2_wmf(RequestCompleted)` 
request.detail.Context="levy" OR
request.detail.Context="rates-list" OR
request.detail.Context="emp" OR
request.detail.Context="identity-verification" 
| fields request.detail.Context
| timechart span=1d limit=100 count by request.detail.Context
| fillnull value=0 request.detail.Contex

The problem I have is around the zero values and the 'fillnull'. It basically doesn't work.

I've tried shifting the position of the row within the query. I've then tried using usenull=t usestr=0 in the timechart line, but none of this works.

I just wondered whether someone may be able to point out where I've gone wrong?

Many thanks and kind regards

Chris

0 Karma
Highlighted

Re: FillNull In Timechart

SplunkTrust
SplunkTrust

Try this

`wso2_wmf(RequestCompleted)` 
 request.detail.Context="levy" OR
 request.detail.Context="rates-list" OR
 request.detail.Context="emp" OR
 request.detail.Context="identity-verification" 
 | fields request.detail.Context
 | timechart span=1d limit=100 count by request.detail.Context
| eval request.detail.Context=if(request.detail.Context="",0,'request.detail.Context')
0 Karma
Highlighted

Re: FillNull In Timechart

Motivator

Hi @skoelpin, thank you for taking the time to come back to me with this, but unfortunately it doesn't return any of the zero values.

Many thanks and kind regards

Chris

0 Karma
Highlighted

Re: FillNull In Timechart

SplunkTrust
SplunkTrust

I'm thinking it could be due to the fieldname. Try this to test it out

| timechart span=1d limit=100 count by request.detail.Context
| rename "request.detail.Context" AS Request
 | eval Request=if(Request="",0,'Request')
0 Karma
Highlighted

Re: FillNull In Timechart

Motivator

Hi thank you for coming back to me.

Unfortunately this doesn't make any difference to the figures returned.

Many thanks and regards

Chris

0 Karma
Highlighted

Re: FillNull In Timechart

Esteemed Legend

You are not making sense. You search says to get only events that HAVE A VALUE for field request.detail.Context (and furthermore that the value must be in this set: levy OR rates-list OR emp OR identity-verification ). Given this, it is IMPOSSIBLE to have a results set with any non-null value for request.detail.Context. So lets back up. Show a minimalist sample dataset. Show us the results that you are getting right now for your search, and mockup your desired result, pointing out the difference between the last two. As written right now, it is impossible for anyone to give you an answer.

0 Karma
Highlighted

Re: FillNull In Timechart

Motivator

@woodcock the issue seems to be around the span.

If I set my date range to 2, 3, or even 4 days, then I'm retrieving the zero metric columns. However when I set the date range to say 'yesterday' that is when the issue occurs.

Kind Regards

Chris

0 Karma
Highlighted

Re: FillNull In Timechart

Esteemed Legend

It is still unclear what the "issue" is. It would be crystal clear if you exemplified it as I suggested.

0 Karma
Highlighted

Re: FillNull In Timechart

Motivator

All,

Thank you for your time and trouble.

I found the solution here: https://answers.splunk.com/answers/523189/how-to-use-timechart-count-to-return-0-when-value.html

Have a good day.

Kind Regards

Chris

View solution in original post

0 Karma