Splunk Search
Highlighted

How to display the last value of an event in place of each of the remaining null values in a row?

New Member

Example: My dashboard looks like

              1:00       2:00       3:00       4:00
 1. foo       100        200        -          -
 2. foo1      -          -          50         100
 3. foo3      50         100        200        -
 4. foo4      -          50         100        200

We need to replace "-" with 200 in "1.foo" and similarly for "3.foo3".

I have used filldown, but it is not working. Can someone help me with the search for this?

sourcetype="foo" | ....|chart max(S1) as S1 by foo, time | filldown S1.

Tags (3)
0 Karma
Highlighted

Re: How to display the last value of an event in place of each of the remaining null values in a row?

SplunkTrust
SplunkTrust

You should be able to use the fillnull command.

sorucetype="foo" | ....|chart max(S1) as S1 by foo,time | fillnull value=200 S1

http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/fillnull

0 Karma
Highlighted

Re: How to display the last value of an event in place of each of the remaining null values in a row?

New Member

But It should showing in all the places wherever "-" presents. Plz look it below

                  1:00         2:00         3:00          4:00
  1. foo 100 200 - -
  2. foo1 - - 50 100
  3. foo3 50 100 300 -
  4. foo4 - 50 100 -

We need to replace "-" with 200 in "1.foo" at time of 3:00 and 4:00and similarly for "3.foo3" should replace 300 at time of 4:00. In 4.foo4 replace 100 at 4:00, not at 1:00

I have used filldown, but it is not working. Can someone help me with the search for this?

0 Karma
Highlighted

Re: How to display the last value of an event in place of each of the remaining null values in a row?

New Member

need to show latest value on remaining times for each row, once we get value reaches the target.

0 Karma