How to show the line when its value is NULL with ...

mint_choco · ‎05-02-2025

Hi, I try to display the number of events per day from multiple indexes.

I wrote the below SPL, but when all index values are null for a specific date, the line itself is not displayed.

複数のindexから、nullには0を代入し、1日ごとのイベント件数を表示させたいです。

chartコマンドを使いイベント件数を表示、特定indexの値がnullの場合はisnullで0を代入できたのですが、特定の日にちだけ全てのindexの値がnullの時、その日の行自体が表示されません。

index IN (index1, index2, index3, index4)
| bin span=1d _time
| chart count _time over index
| eval index4=if(isnull(index4), 0, index4)

How to display a line of 4/2 by substituting 0 like the below table, when all indexes value of 4/2 are null?

下記の表のように4/2の値がなくとも、０を代入して4/2の行を表示させる方法はないでしょうか。

	index1	index2	index3	index4
4/1	12	3	45	0
4/2	0	0	0	0
4/3	16	7	34	0

yuanliu

There are several ways to do this. A traditional method is to backfill every day.

index IN (index1, index2, index3, index4)
| bin span=1d _time
| chart count _time over index
| append
    [ makeresults
    | timechart span=1d@d count
    | fields - count]
| stats values(*) as * by _time
| fillnull

Note I replaced your last line with fillnull. (This command is worth learning.)

Another somewhat sneaky way to do this depends on the real stats you perform. If it is simple stats such as count, you can just "sneak in" something that always have some value, such as index _internal.

index IN (index1, index2, index3, index4, _internal)
| bin span=1d _time
| chart count _time over index
| fields - VALUE_internal
| fillnull

How to show the line when its value is NULL with chart command / chartコマンドで行の値が0の時表示する方法

chart

count

stats

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?