Solved: Re: Fulfill empty table entries

zugji · ‎04-28-2013

Is there a way I can fulfill empty tables.
name="*" | chart count by name,severity | rename 1 as alert, 2 as critical, 3 as error, 4 as warn, 5 as notice, 6 as info | table name,alert,critical,error,warn,notice,info | sort - alert,critical,error,warn,notice,info | head 20

This gives a table back with empty fields. Is there a way I can fulfill empty fields with 0?

Example:

name alert critical error warn notice info
t1                   2     1    1      0
t2                   1     1    0      0

Expectation:

name alert critical error warn notice info
t1   0     0         2     1    1      0
t2   0     0         1     1    0      0

Regards,
Christian

kristian_kolb · ‎04-28-2013

You should have a look at the fillnull command.

...| fillnull alert critical | ...

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fillnull

Hope this helps,

Kristian

View solution in original post

kristian_kolb · ‎04-28-2013

You should have a look at the fillnull command.

...| fillnull alert critical | ...

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fillnull

Hope this helps,

Kristian

Fulfill empty table entries

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation