Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Fillnull not working with chart

lyndac
Contributor
‎05-15-2015 08:13 AM

I'm trying to create a simple chart of the number of tickets for a specified subsystem. However the subsystem field is not always provided. Currently, there is a "slice" in my pie chart for tickets with no subsystem, but it has no label (because the subsystem is empty). The search I'm using is index=myIndex | fillnull value="Not Provided" subsystem | chart count(ticket) by subsystem. I have tried moving the fillnull to after the chart command and I have tried value=NONE but no luck. Please help

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

lyndac
Contributor
‎05-15-2015 11:39 AM

This works:

index=myIndex
|eval subsystem=if (subsystem == "", "Not Provided", subsystem)
| chart count(ticket) by subsystem

View solution in original post

Reply
Solved! Jump to solution

chimell
Motivator
‎05-15-2015 03:15 PM

Hi lyndac

I think that you must simply retry like this :

index=myIndex | fillnull value=NONE subsystem | chart count(ticket) by subsystem

Look at this example it works well

sourcetype=access_* |fillnull value=NONE categoryId |chart count(action) as c by categoryId

And the result

![![![alt text][1]][1]][1]

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution
Solution

lyndac
Contributor
‎05-15-2015 11:39 AM

This works:

index=myIndex
|eval subsystem=if (subsystem == "", "Not Provided", subsystem)
| chart count(ticket) by subsystem

Reply
Solved! Jump to solution

stephanefotso
Motivator
‎05-15-2015 09:08 AM

Instead of fillnull, you could use this query:

index=myIndex| chart count(ticket) by subsystem|where subsystem != " "
SGF
0 Karma
Reply
Solved! Jump to solution

lyndac
Contributor
‎05-15-2015 11:26 AM

if I change the where clause to |where subsystem != "", this works by excluding all the null subsystems. I'd like to see the count of null subsystems, but I'd like there to be a label that says "Not Provided".

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎05-15-2015 09:07 AM

The problem is this: when charts counts by subsystem, events without a subsystem are not included. Try this instead:

index=myIndex 
| eval subsystem=if(isnull(subsystem),"Not Provided",subsystem)
| chart count(ticket) by subsystem
0 Karma
Reply
Solved! Jump to solution

lyndac
Contributor
‎05-15-2015 11:30 AM

Actually, I see a count of subsystems that have no value...it shows up as a slice of the pie with no label. I tried this solution and it didn't change anything.

Oddly, I used |eval subsystem=if (isnotnull(subsystem), "Not Provided", subsystem) and it changed ALL the subsystem values to "Not Provided".

Does splunk treat an empty string "" differently than a null value?

BTW -- this data was read in from a csv file where the data and looks like ,"", in the raw data.

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎05-15-2015 11:57 AM

In your test for "isnotnull", you are saying "if subsystem has any value, replace it with 'not provided'" - I don't think that it is odd.

Yes, an empty string is technically not a null. Try this

index=myIndex 
 | eval subsystem=if(subsystem=="","Not Provided",subsystem)
 | chart count(ticket) by subsystem

Oops, I see that you figured this out in another answer...

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...