Re: How do I pull a stats table where there are bl...

reneedeleon · ‎09-26-2018

This is the event data:
ls1=INFO ls1Label=Severity ls2=MS SQL SERVER ls2Label=ServerType ls3=Command List ls3Label= cat=Audit sproc=ubuntu user=billy uid=DOMAIN\billybob dest= lhost=abrokenserver ohost=serverconnectedto CMD=su apt install *

index=rootCMDs
| rex field=_raw "^[^ \n]* (?P[^ ]+)"
| rex field=_raw "^(?:[^|\n]|){5}(?P[^|]+)"
| rex field=_raw "ls3label=(?.)\scat="
| eval ls3label=case(isnull(ls3label),"NULL",1=1,dst)
| where isnotnull(ls3label)
| search dst=" "
| stats count by lhost, ls3label, sproc. user, uid
| sort 0 count desc

When I pull the stats count I get no data but the even data lists everything and has hundreds of events where *="no data". How do I specifically search for the blank data only? Or is my search improperly formatted?

kamlesh_vaghela · ‎09-26-2018

@reneedeleon

Have you tried `fillnull' command to assigned default value instead of keeping null value?

http://docs.splunk.com/Documentation/Splunk/7.1.3/SearchReference/Fillnull

| fillnull value="NA" lhost, ls3label, sproc. user, uid
| stats count by lhost, ls3label, sproc. user, uid

DalJeanis · ‎09-26-2018

Converted comment to answer because that's the answer.

reneedeleon · ‎09-27-2018

Thank you Dal,

 Let me ask another question to the answer. Is it plausible to search multiple fields where there is data and NULL values.

maybe:

| search *=NULL OR | where *=NULL

How do I pull a stats table where there are blank fields in event data?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation