Re: Null iplocation data

hagjos43 · ‎06-02-2014

Hello,
I have the following query:

  . . .  | iplocation ClientIP | eval GeoLocation=case(Country="United States", "United States", Country=" ", "Views from Unknown Origins", Country!="United States" AND Country!=" ", "International") | top limit=3 GeoLocation | eval percent = round(percent,2) . " %"

The output of this query returns results like this:
GeoLocation     count       percent
United States   900         90%
International   100         10%

However it is not returning if the value for Country is null, I've ran the search and I know for the given time range null values exist for the country field. Can this work within the eval case() query?

hagjos43 · ‎06-02-2014

I figured out my own issue. fillnull fixed it!

Below is the working query:

| iplocation ClientIP | fillnull value="Unknown" Country | eval GeoLocation=case(Country="United States", "Views from the United States", Country="Unknown", "Views from Unknown Origins", Country!="United States" AND Country!="Unknown", "International Views") | top limit=3 GeoLocation | eval percent = round(percent,2) . " %"

Null iplocation data

Upcoming Webinar - Demo Day: Transforming IT Operations with Splunk

New Year. New Skills. New Course Releases from Splunk Education

Splunk and TLS: It doesn't have to be too hard

Join the Conversation

Null iplocation data

Upcoming Webinar - Demo Day: Transforming IT Operations with Splunk

New Year. New Skills. New Course Releases from Splunk Education

Splunk and TLS: It doesn't have to be too hard