My Splunk query, which I included below, generates a table, which appears as follows. The issue that I'm trying to resolve is being able to populate non-existent values with "No Data", as shown in the 2020-08-11 column. There are other date columns with non-existent values (note, these are not just null values, which have been set to filnull value = 0. These are non-existent values.) Can someone provide some assistance on how to do this? I have used fillnull and filldown, but have not been successful. I have also tried eval statements setting the parameter to null.

index=test_index_1 sourcetype=test_sourcetype_2

| eval epoch_Timestamp=strptime(Timestamp, "%Y-%m-%dT%H:%M:%S.%3QZ")-14400

| rename "Transaction Name" as trans_name, "Application Name" as application_name, "Status Code" as status_code

| eval service_id=case(Verb="GET" AND trans_name="Transaction1" AND application_name="APP1", "ID1", Verb="GET" AND trans_name="Transaction2" AND application_name="App2", "ID2", Verb="PUT" AND trans_name="Transaction2" AND application_name="App2", "ID3", 1=1, "Unqualified")

| where service_id!="Unqualified"

| eval Priority=case(Verb="GET" AND trans_name="Transaction1" AND application_name="APP1", "2", Verb="GET" AND trans_name="Transaction2" AND application_name="App2", "2", Verb="PUT" AND trans_name="Transaction2" AND application_name="App2", "1", 1=1, "Unqualified")

| where Priority!="Unqualified"

| eval service_area=case(Verb="GET" AND trans_name="Transaction1" AND application_name="APP1", "Area1", Verb="GET" AND trans_name="Transaction2" AND application_name="App2", "Area2", Verb="PUT" AND trans_name="Transaction2" AND application_name="App2", "Member", 1=1, "Unqualified")

| where service_area!="Unqualified"

| eval date_reference=strftime(epoch_Timestamp, "%Y-%m-%d")

| stats count(eval(status_code)) as count by service_id, Verb, trans_name, Priority, service_area, application_name, date_reference

| eval combined=service_id."@".Verb."@".trans_name."@".Priority."@".service_area."@".application_name."@"

| xyseries combined date_reference count

| rex field=combined "^(?<service_id>[^\@]+)\@(?<Verb>[^\@]+)\@(?<trans_name>[^\@]+)\@(?<Priority>[^\@]+)\@(?<service_area>[^\@]+)\@(?<application_name>[^\@]+)\@$"

| fillnull value="0"

| table service_id, Verb, trans_name, Priority, service_area, application_name

[ makeresults | addinfo

| eval time = mvappend(relative_time(info_min_time,"@d"),relative_time(info_max_time,"@d"))

| fields time | mvexpand time

| makecontinuous time span=1d

| eval time=strftime(time,"%F")

| reverse

| stats list(time) as time

| return $time

]

| rename service_id as "Service ID", Verb as "Resource Name", trans_name as "Transaction Name", Priority as "Priority", service_area as "Service Area", application_name as "Consumer"