Splunk Search

How to edit my search to create a chart that inserts "NO" wherever the value is blank?

gudavasr
Path Finder

Hi,

I have a chart like this from a search:

source="*.log" "Found TaskId" | | dedup source  |  eval FileFoundDate =  valdate + "_" + valtime  | eval Foundforvaldate = "YES" |  chart values(Foundforvaldate) over  TaskId  by   valdate  usenull=f useother=f

This is my current output:

TaskID   20150601   20150602   20150603
123        YES                    YES
213                    YES        YES
214                               YES

How can I insert "NO" wherever the value is blank?

Thank You

Tags (3)
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

source="*.log" "Found TaskId" | | dedup source | eval FileFoundDate = valdate + "_" + valtime | eval Foundforvaldate = "YES" | chart values(Foundforvaldate) over TaskId by valdate usenull=f useother=f | fillnull value="NO"

View solution in original post

woodcock
Esteemed Legend

Like this:

source="*.log" "Found TaskId" | | dedup source | eval FileFoundDate = valdate + "_" + valtime | eval Foundforvaldate = "YES" | chart values(Foundforvaldate) over TaskId by valdate usenull=f useother=f | fillnull value="NO"

gudavasr
Path Finder

Thank You.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...