Splunk Search

Fillnull until specific time?

cmzhu
Explorer

Is there a way to get fillnull to work over all entries up until a certain time?

Right now, I'm evaluating a field in a subsearch with earliest=@d, latest=now and then working with the field outside of the subsearch. I want fillnull to work on that field up until now, but when I put "| fillnull value=0 field" at the end of the subsearch, it's not working. When I put that statement outside of the subsearch, fillnull is working over all times, not until now.

Tags (1)
0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust
| fillnull value=0 fieldA

is 100% equivalent to

| eval fieldA=coalesce(fieldA,0)

so you want something like

| eval fieldA = coalesce(fieldA, if(_time<now(), 0, null() )  )

View solution in original post

0 Karma

DalJeanis
SplunkTrust
SplunkTrust
| fillnull value=0 fieldA

is 100% equivalent to

| eval fieldA=coalesce(fieldA,0)

so you want something like

| eval fieldA = coalesce(fieldA, if(_time<now(), 0, null() )  )
0 Karma

cmzhu
Explorer

thanks so much!

cmerriman
Super Champion

can you show a snippet of your search? i see no immediate reason why that wouldn't work in a subsearch, so i'm curious how the subsearch is joined to the actual search.

0 Karma

cmzhu
Explorer
| makeresults count=288 | eval TimeDeltaSec=300 | accum TimeDeltaSec as TimeOffsetSec | eval _time=relative_time(now(),"@d-5m")+TimeOffsetSec | fields - TimeDeltaSec,TimeOffsetSec | eval TimeSlice=strftime(_time,"%H:%M") 
| join type=left TimeSlice [
search earliest=-30d@d latest=@d
...
| eventstats median(absDev) as mad by TimeSlice
| eval LowNormalCt=(med-mad*3), HighNormalCt=(med+mad*3)
| rename med as AvgNormalCt]
| fillnull value=0 HighNormalCt, AvgNormalCt, LowNormalCt
| join type=left TimeSlice
[search
earliest=@d latest=now
...
| stats first(ReqCt5m) as RC5 by TimeSlice, ActivSlice, ActivSite, CgClass
| stats sum(RC5) as LiveRequestCt by TimeSlice 
]
| table TimeSlice,LiveRequestCt,HighNormalCt,AvgNormalCt,LowNormalCt

I've tried adding "| fillnull value=0 LiveRequestCount" right before the last ']', but it's not working. When I add the statement after the bracket, it's filling every TimeSlice (as expected).

0 Karma

cmerriman
Super Champion

how are you calculating TimeSlice? are they the same buckets in every single search? I see with the makeresults command it's every 5 minutes. If when you break the search apart, the TimeSlice is a different bucket, then that could be the problem.

0 Karma

cmzhu
Explorer

TimeSlices is calculated the same way across the search; it's a field value in the indexes of the subsearch.
| eval TimeSlice=strftime(_time,"%H:%M")

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...