Null iplocation data

hagjos43 · ‎06-02-2014

Hello,
I have the following query:

  . . .  | iplocation ClientIP | eval GeoLocation=case(Country="United States", "United States", Country=" ", "Views from Unknown Origins", Country!="United States" AND Country!=" ", "International") | top limit=3 GeoLocation | eval percent = round(percent,2) . " %"

The output of this query returns results like this:
GeoLocation     count       percent
United States   900         90%
International   100         10%

However it is not returning if the value for Country is null, I've ran the search and I know for the given time range null values exist for the country field. Can this work within the eval case() query?

hagjos43 · ‎06-02-2014

I figured out my own issue. fillnull fixed it!

Below is the working query:

| iplocation ClientIP | fillnull value="Unknown" Country | eval GeoLocation=case(Country="United States", "Views from the United States", Country="Unknown", "Views from Unknown Origins", Country!="United States" AND Country!="Unknown", "International Views") | top limit=3 GeoLocation | eval percent = round(percent,2) . " %"

Null iplocation data

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

Null iplocation data

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...