Splunk Search

Replace a null value after search appending

patilsh
Explorer

Hello All,

I have a search query as below:

    index="alpha_all_aal_event" type=twaReport|search callId=0  userId=a2ebd4aa-f91a-4088-8667-60143707c368|fields *|rename eventTime.$date as eventTime|eval eventTime=(eventTime/1000)|append [search index="alpha_all_careport_event" userId=a2ebd4aa-f91a-4088-8667-60143707c368|fields *|rename eventTime.$date as eventTime|eval eventTime=(eventTime/1000)|streamstats min(eventTime) as limit]|table  eventTime eventData.preLimiterSplEstimate eventData.postLimiterSplEstimate eventData.twaThreshold limit

And the data is shown below :
alt text

The limit column has just a single value min(eventTime) from one of the search queries, and its null everywhere else. I want to replace the null value of limit, with already existing single value in limit. Can someone please help me how to do this, as this is appended search I am not getting the expected results.

0 Karma

DalJeanis
Legend

try this ...

| eventstats min(limit) as limit

Although I'd probably write it more like this...

 userId="a2ebd4aa-f91a-4088-8667-60143707c368"  
(index="alpha_all_aal_event" type=twaReport callId=0  ) OR (index="alpha_all_careport_event")
| fields *
| rename eventTime.$date as eventTime
| eval eventTime=(eventTime/1000)
| eval limit=if(index="alpha_all_careport_event",eventTime,null())
| eventstats min(limit) as limit by userId 
| where index="alpha_all_aal_event"
| table eventTime eventData.preLimiterSplEstimate eventData.postLimiterSplEstimate eventData.twaThreshold limit
0 Karma

patilsh
Explorer

I tried eventstats, still the same

0 Karma

DalJeanis
Legend

@patilsh - okay, try my way then.

0 Karma
Get Updates on the Splunk Community!

Cloud Platform | Customer Change Announcement: Email Notification Will Be Available ...

The Notification Team is migrating our email service provider since currently there’s no support ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...