Splunk Search

Fillnull not working with chart

Contributor

I'm trying to create a simple chart of the number of tickets for a specified subsystem. However the subsystem field is not always provided. Currently, there is a "slice" in my pie chart for tickets with no subsystem, but it has no label (because the subsystem is empty). The search I'm using is index=myIndex | fillnull value="Not Provided" subsystem | chart count(ticket) by subsystem. I have tried moving the fillnull to after the chart command and I have tried value=NONE but no luck. Please help

Tags (2)
1 Solution

Contributor

This works:

index=myIndex
|eval subsystem=if (subsystem == "", "Not Provided", subsystem)
| chart count(ticket) by subsystem

View solution in original post

Motivator

Hi lyndac

I think that you must simply retry like this :

index=myIndex | fillnull value=NONE subsystem | chart count(ticket) by subsystem

Look at this example it works well

sourcetype=access_* |fillnull value=NONE categoryId |chart count(action) as c by categoryId

And the result

![![![alt text][1]][1]][1]

0 Karma

Contributor

This works:

index=myIndex
|eval subsystem=if (subsystem == "", "Not Provided", subsystem)
| chart count(ticket) by subsystem

View solution in original post

Motivator

Instead of fillnull, you could use this query:

index=myIndex| chart count(ticket) by subsystem|where subsystem != " "
0 Karma

Contributor

if I change the where clause to |where subsystem != "", this works by excluding all the null subsystems. I'd like to see the count of null subsystems, but I'd like there to be a label that says "Not Provided".

0 Karma

Legend

The problem is this: when charts counts by subsystem, events without a subsystem are not included. Try this instead:

index=myIndex 
| eval subsystem=if(isnull(subsystem),"Not Provided",subsystem)
| chart count(ticket) by subsystem
0 Karma

Contributor

Actually, I see a count of subsystems that have no value...it shows up as a slice of the pie with no label. I tried this solution and it didn't change anything.

Oddly, I used |eval subsystem=if (isnotnull(subsystem), "Not Provided", subsystem) and it changed ALL the subsystem values to "Not Provided".

Does splunk treat an empty string "" differently than a null value?

BTW -- this data was read in from a csv file where the data and looks like ,"", in the raw data.

0 Karma

Legend

In your test for "isnotnull", you are saying "if subsystem has any value, replace it with 'not provided'" - I don't think that it is odd.

Yes, an empty string is technically not a null. Try this

index=myIndex 
 | eval subsystem=if(subsystem=="","Not Provided",subsystem)
 | chart count(ticket) by subsystem

Oops, I see that you figured this out in another answer...

0 Karma