Replace a null value after search appending

patilsh · ‎09-08-2017

Hello All,

I have a search query as below:

    index="alpha_all_aal_event" type=twaReport|search callId=0  userId=a2ebd4aa-f91a-4088-8667-60143707c368|fields *|rename eventTime.$date as eventTime|eval eventTime=(eventTime/1000)|append [search index="alpha_all_careport_event" userId=a2ebd4aa-f91a-4088-8667-60143707c368|fields *|rename eventTime.$date as eventTime|eval eventTime=(eventTime/1000)|streamstats min(eventTime) as limit]|table  eventTime eventData.preLimiterSplEstimate eventData.postLimiterSplEstimate eventData.twaThreshold limit

And the data is shown below :

The limit column has just a single value min(eventTime) from one of the search queries, and its null everywhere else. I want to replace the null value of limit, with already existing single value in limit. Can someone please help me how to do this, as this is appended search I am not getting the expected results.

DalJeanis · ‎09-08-2017

try this ...

| eventstats min(limit) as limit

Although I'd probably write it more like this...

 userId="a2ebd4aa-f91a-4088-8667-60143707c368"  
(index="alpha_all_aal_event" type=twaReport callId=0  ) OR (index="alpha_all_careport_event")
| fields *
| rename eventTime.$date as eventTime
| eval eventTime=(eventTime/1000)
| eval limit=if(index="alpha_all_careport_event",eventTime,null())
| eventstats min(limit) as limit by userId 
| where index="alpha_all_aal_event"
| table eventTime eventData.preLimiterSplEstimate eventData.postLimiterSplEstimate eventData.twaThreshold limit

patilsh · ‎09-08-2017

I tried eventstats, still the same

DalJeanis · ‎09-08-2017

@patilsh - okay, try my way then.

Replace a null value after search appending

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All

Splunk Security Content for Threat Detection & Response, Q1 Roundup