Solved: How to name NULL column

nlrdy · ‎03-18-2016

Hello,

I'm a new user to splunk and want to know how to name a NULL column. For example, see below query.

index=ac_web sourcetype=access_log response_time > 5 earliest=-7d@d latest=now | timechart span=1h count by cs-uri-stem

When I run this query, I get "NULL" name for the second column. How can I name it ?

Thank you all !!

snoobzilla · ‎03-18-2016

Try fillnull....

index=ac_web sourcetype=access_log response_time > 5 earliest=-7d@d latest=now
| fillnull value=MyNullName cs-uri-stem
| timechart span=1h count by cs-uri-stem

View solution in original post

naidusadanala · ‎03-18-2016

Hi you can also do it by using tostring
eval cs-uri-stem=tostring(cs-uri-stem)

The above returns value to "Null"(in most of the cases)

then

|time span=1h count by cs-uri-stem

You can choose any method to so

snoobzilla · ‎03-18-2016

Try fillnull....

index=ac_web sourcetype=access_log response_time > 5 earliest=-7d@d latest=now
| fillnull value=MyNullName cs-uri-stem
| timechart span=1h count by cs-uri-stem

How to name NULL column

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation