Splunk Search

How to display the last value of an event in place of each of the remaining null values in a row?

kkarthik2
Observer

Example: My dashboard looks like

              1:00       2:00       3:00       4:00
 1. foo       100        200        -          -
 2. foo1      -          -          50         100
 3. foo3      50         100        200        -
 4. foo4      -          50         100        200

We need to replace "-" with 200 in "1.foo" and similarly for "3.foo3".

I have used filldown, but it is not working. Can someone help me with the search for this?

sourcetype="foo" | ....|chart max(S1) as S1 by foo, time | filldown S1.

Tags (3)
0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

You should be able to use the fillnull command.

sorucetype="foo" | ....|chart max(S1) as S1 by foo,time | fillnull value=200 S1

http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/fillnull

0 Karma

kkarthik2
Observer

But It should showing in all the places wherever "-" presents. Plz look it below

                  1:00         2:00         3:00          4:00
  1. foo 100 200 - -
  2. foo1 - - 50 100
  3. foo3 50 100 300 -
  4. foo4 - 50 100 -

We need to replace "-" with 200 in "1.foo" at time of 3:00 and 4:00and similarly for "3.foo3" should replace 300 at time of 4:00. In 4.foo4 replace 100 at 4:00, not at 1:00

I have used filldown, but it is not working. Can someone help me with the search for this?

0 Karma

kkarthik2
Observer

need to show latest value on remaining times for each row, once we get value reaches the target.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...