Solved: Fulfill empty table entries

zugji · ‎04-28-2013

Is there a way I can fulfill empty tables.
name="*" | chart count by name,severity | rename 1 as alert, 2 as critical, 3 as error, 4 as warn, 5 as notice, 6 as info | table name,alert,critical,error,warn,notice,info | sort - alert,critical,error,warn,notice,info | head 20

This gives a table back with empty fields. Is there a way I can fulfill empty fields with 0?

Example:

name alert critical error warn notice info
t1                   2     1    1      0
t2                   1     1    0      0

Expectation:

name alert critical error warn notice info
t1   0     0         2     1    1      0
t2   0     0         1     1    0      0

Regards,
Christian

kristian_kolb · ‎04-28-2013

You should have a look at the fillnull command.

...| fillnull alert critical | ...

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fillnull

Hope this helps,

Kristian

View solution in original post

kristian_kolb · ‎04-28-2013

You should have a look at the fillnull command.

...| fillnull alert critical | ...

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fillnull

Hope this helps,

Kristian

Fulfill empty table entries

Introducing Edge Processor: Next Gen Data Transformation

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Using Machine Learning for Hunting Security Threats