Solved: How to name NULL column

nlrdy · ‎03-18-2016

Hello,

I'm a new user to splunk and want to know how to name a NULL column. For example, see below query.

index=ac_web sourcetype=access_log response_time > 5 earliest=-7d@d latest=now | timechart span=1h count by cs-uri-stem

When I run this query, I get "NULL" name for the second column. How can I name it ?

Thank you all !!

snoobzilla · ‎03-18-2016

Try fillnull....

index=ac_web sourcetype=access_log response_time > 5 earliest=-7d@d latest=now
| fillnull value=MyNullName cs-uri-stem
| timechart span=1h count by cs-uri-stem

View solution in original post

naidusadanala · ‎03-18-2016

Hi you can also do it by using tostring
eval cs-uri-stem=tostring(cs-uri-stem)

The above returns value to "Null"(in most of the cases)

then

|time span=1h count by cs-uri-stem

You can choose any method to so

snoobzilla · ‎03-18-2016

Try fillnull....

index=ac_web sourcetype=access_log response_time > 5 earliest=-7d@d latest=now
| fillnull value=MyNullName cs-uri-stem
| timechart span=1h count by cs-uri-stem

How to name NULL column

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio