Splunk Search

How to return all events for Search even though the joiner field is empty

mninansplunk
Path Finder

Hello everyone,

I'm having a hard time figuring this out.  I have a Search where I have created a Transaction in order to only display the "Create" events in a table.  This worked, but, I had to add a joiner in order to display a field from another search.  Since I did this, only the events that have values in the joiner field I used is displayed.

I need help with how can I still show all of the events from the Transaction even though they don't have values from the joiner I used.

Here's the Search I have created.  (I'm still learning all of the Search possibilities, so it might be ugly 🙂

(integrationName="Opsgenie Edge Connector - Splunk" alert.message = "STORE*" alert.message = "STORE*", alert.message != "*Latency" alert.message != "*Loss" action != "AddNote") OR (sourcetype="snow:incident" dv_opened_by=OPSGenieIntegration)
| transaction "alert.id", alert.message startswith=Create endswith=Close keepevicted=true
| where closed_txn=0
| eval joiner=if(integrationName="Opsgenie Edge Connector - Splunk", alertAlias, x_86994_opsgenie_alert_alias)
| stats values(*) as * by joiner
| where alertAlias==x_86994_opsgenie_alert_alias
| fields _time, alert.updatedAt, alert.message, alertAlias, alert.id, action, "alertDetails.Alert Details URL", _raw, closed_txn, _time, dv_number
| eval Created=strftime(_time,"%m-%d-%Y %H:%M:%S")
| rename alert.message AS "Branch"
| rename "alertDetails.Alert Details URL" as "Source Link"
| rename dv_number as Incident
| table Created, Branch, "Source Link", Incident
| sort by Created DESC

 

Thanks for any help on this one,

Tom

Labels (4)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The stats command will not return results for a groupBy field that is empty or null.  Use the fillnull command or enhance the eval statement to ensure the joiner field always has a value.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...