Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to ignore empty fields in a split in stats/tstats

mciudad
Explorer
‎08-17-2015 09:14 AM

Hi,

I'm trying to find the cardinality of the fields for my indexes. The problem is that some fields sometimes have a value and sometimes they don't, so when I split with tstats/stats using the "by" clause, if one of the fields is empty, it returns nothing.

Example:

| tstats count where index=summary by host

works perfectly. But if I add the field "asset" which for the last 7 days has had no values:

| tstats count where index=summary by host, asset

it returns "No results found".

How can I make Splunk ignore that "asset" field so if it's empty it shows the data with rest of the splits?

Thank you.

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-14-2016 01:15 PM

You can solve this in a two-step search:

| tstats count where index=summary asset=* by host, asset | append [tstats count where index=summary NOT asset=* by host | eval asset = "n/a"]

For regular stats you can indeed use fillnull as suggested by woodcock.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-14-2016 01:15 PM

You can solve this in a two-step search:

| tstats count where index=summary asset=* by host, asset | append [tstats count where index=summary NOT asset=* by host | eval asset = "n/a"]

For regular stats you can indeed use fillnull as suggested by woodcock.

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-17-2015 09:18 AM

This is exactly what the fillnull command is for.

... | fillnull asset | tstats count where index=summary by host, asset
Reply
Solved! Jump to solution

claudio_manig
Communicator
‎10-05-2017 11:21 PM

saved a lot of headache on a stats query - thx a lot!

0 Karma
Reply
Solved! Jump to solution

wrangler2x
Motivator
‎03-14-2016 04:37 PM

I downvoted this post because just realized this is great for stats (i use it all the time) but not for tstats, which is what is being discussed.

0 Karma
Reply
Solved! Jump to solution

dshpritz
SplunkTrust
SplunkTrust
‎03-03-2016 01:31 PM

This doesn't actually work. Per docs:
http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Tstats

The tstats command is a generating command. Generating commands use a leading pipe character. The tstats command must be the first command in a search pipeline, except when (append=true).

As such, to answer above will not work.

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-07-2017 12:06 PM

Yes, I sometimes answer both without reading closely and without testing. I did not notice the t in front of `stats. Everyone commenting is quite correct.

0 Karma
Reply
Solved! Jump to solution

piebob
Splunk Employee
Splunk Employee
‎03-14-2016 01:14 PM

i've unaccepted this Answer per discussion, woodcock is going to give it another crack 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...