- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Fillnull until specific time?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a way to get fillnull to work over all entries up until a certain time?
Right now, I'm evaluating a field in a subsearch with earliest=@d, latest=now and then working with the field outside of the subsearch. I want fillnull to work on that field up until now, but when I put "| fillnull value=0 field" at the end of the subsearch, it's not working. When I put that statement outside of the subsearch, fillnull is working over all times, not until now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| fillnull value=0 fieldA
is 100% equivalent to
| eval fieldA=coalesce(fieldA,0)
so you want something like
| eval fieldA = coalesce(fieldA, if(_time<now(), 0, null() ) )
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| fillnull value=0 fieldA
is 100% equivalent to
| eval fieldA=coalesce(fieldA,0)
so you want something like
| eval fieldA = coalesce(fieldA, if(_time<now(), 0, null() ) )
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks so much!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you show a snippet of your search? i see no immediate reason why that wouldn't work in a subsearch, so i'm curious how the subsearch is joined to the actual search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults count=288 | eval TimeDeltaSec=300 | accum TimeDeltaSec as TimeOffsetSec | eval _time=relative_time(now(),"@d-5m")+TimeOffsetSec | fields - TimeDeltaSec,TimeOffsetSec | eval TimeSlice=strftime(_time,"%H:%M")
| join type=left TimeSlice [
search earliest=-30d@d latest=@d
...
| eventstats median(absDev) as mad by TimeSlice
| eval LowNormalCt=(med-mad*3), HighNormalCt=(med+mad*3)
| rename med as AvgNormalCt]
| fillnull value=0 HighNormalCt, AvgNormalCt, LowNormalCt
| join type=left TimeSlice
[search
earliest=@d latest=now
...
| stats first(ReqCt5m) as RC5 by TimeSlice, ActivSlice, ActivSite, CgClass
| stats sum(RC5) as LiveRequestCt by TimeSlice
]
| table TimeSlice,LiveRequestCt,HighNormalCt,AvgNormalCt,LowNormalCt
I've tried adding "| fillnull value=0 LiveRequestCount" right before the last ']', but it's not working. When I add the statement after the bracket, it's filling every TimeSlice (as expected).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how are you calculating TimeSlice? are they the same buckets in every single search? I see with the makeresults command it's every 5 minutes. If when you break the search apart, the TimeSlice is a different bucket, then that could be the problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TimeSlices is calculated the same way across the search; it's a field value in the indexes of the subsearch.
| eval TimeSlice=strftime(_time,"%H:%M")
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
