Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to return all events for Search even though the joiner field is empty

mninansplunk
Path Finder
‎08-29-2023 07:29 AM

Hello everyone,

I'm having a hard time figuring this out.  I have a Search where I have created a Transaction in order to only display the "Create" events in a table.  This worked, but, I had to add a joiner in order to display a field from another search.  Since I did this, only the events that have values in the joiner field I used is displayed.

I need help with how can I still show all of the events from the Transaction even though they don't have values from the joiner I used.

Here's the Search I have created.  (I'm still learning all of the Search possibilities, so it might be ugly 🙂

(integrationName="Opsgenie Edge Connector - Splunk" alert.message = "STORE*" alert.message = "STORE*", alert.message != "*Latency" alert.message != "*Loss" action != "AddNote") OR (sourcetype="snow:incident" dv_opened_by=OPSGenieIntegration)
| transaction "alert.id", alert.message startswith=Create endswith=Close keepevicted=true
| where closed_txn=0
| eval joiner=if(integrationName="Opsgenie Edge Connector - Splunk", alertAlias, x_86994_opsgenie_alert_alias)
| stats values(*) as * by joiner
| where alertAlias==x_86994_opsgenie_alert_alias
| fields _time, alert.updatedAt, alert.message, alertAlias, alert.id, action, "alertDetails.Alert Details URL", _raw, closed_txn, _time, dv_number
| eval Created=strftime(_time,"%m-%d-%Y %H:%M:%S")
| rename alert.message AS "Branch"
| rename "alertDetails.Alert Details URL" as "Source Link"
| rename dv_number as Incident
| table Created, Branch, "Source Link", Incident
| sort by Created DESC

 

Thanks for any help on this one,

Tom

Labels (4)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-29-2023 05:23 PM

The stats command will not return results for a groupBy field that is empty or null.  Use the fillnull command or enhance the eval statement to ensure the joiner field always has a value.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...