How do I pull a stats table where there are blank ...

reneedeleon · ‎09-26-2018

This is the event data:
ls1=INFO ls1Label=Severity ls2=MS SQL SERVER ls2Label=ServerType ls3=Command List ls3Label= cat=Audit sproc=ubuntu user=billy uid=DOMAIN\billybob dest= lhost=abrokenserver ohost=serverconnectedto CMD=su apt install *

index=rootCMDs
| rex field=_raw "^[^ \n]* (?P[^ ]+)"
| rex field=_raw "^(?:[^|\n]|){5}(?P[^|]+)"
| rex field=_raw "ls3label=(?.)\scat="
| eval ls3label=case(isnull(ls3label),"NULL",1=1,dst)
| where isnotnull(ls3label)
| search dst=" "
| stats count by lhost, ls3label, sproc. user, uid
| sort 0 count desc

When I pull the stats count I get no data but the even data lists everything and has hundreds of events where *="no data". How do I specifically search for the blank data only? Or is my search improperly formatted?

kamlesh_vaghela · ‎09-26-2018

@reneedeleon

Have you tried `fillnull' command to assigned default value instead of keeping null value?

http://docs.splunk.com/Documentation/Splunk/7.1.3/SearchReference/Fillnull

| fillnull value="NA" lhost, ls3label, sproc. user, uid
| stats count by lhost, ls3label, sproc. user, uid

DalJeanis · ‎09-26-2018

Converted comment to answer because that's the answer.

reneedeleon · ‎09-27-2018

Thank you Dal,

 Let me ask another question to the answer. Is it plausible to search multiple fields where there is data and NULL values.

maybe:

| search *=NULL OR | where *=NULL

How do I pull a stats table where there are blank fields in event data?

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Index This | I am a number but I am countless. What am I?

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience