How to return events with or without a value in a ...

KyleMcDougall · ‎05-11-2022

Hi all!

I'm trying to create a table with case_number and session as the two columns.

Any event without a case_number won't show up in the table. How do I get them to show up?

index=cui botId=123456789 case_number=* session=*
| table case_number session

I tried using | fields case_number instead, but this didn't work either.

Appreciate any help!

TDFlames · ‎11-15-2022

Hi,

What you can try is

| fillnull value=

don't fill anything after the =

I'm having the same issue and this works for me, let me know if it works for you.

somesoni2 · ‎05-11-2022

Your base search is looking for events where both case_number and session fields are available. To see everything, just remove that filter from base search, like this

index=cui botId=123456789 session=*
| table case_number session

If you want to display some different value instead of blanks/null, try this version

index=cui botId=123456789 session=*
| eval case_number=coalesce(case_number,"Not Available")
| table case_number session

KyleMcDougall · ‎05-11-2022

For some reason, the case number field doesn't show up unless I add in "case_number=*'

Dually noted your eval command. I'm sure I'll end up using it if I can figure out how to get the blank case number values to populate.

batabay · ‎05-11-2022

Hi,

You can fill empty fields with fillnull command, try this ;

index=cui "your search" | fillnull case_number value=null | table case_number session

KyleMcDougall · ‎05-11-2022

This is really good to know! But, I still wasn't able to get events without a case number to show up.

I think the case_number=* parameter is enforcing that a value is present for this field.

How to return events with or without a value in a specific field?

field extraction

fields

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!

Are you a member of the Splunk Community?