Splunk Search

Replace a null value after search appending

patilsh
Explorer

Hello All,

I have a search query as below:

    index="alpha_all_aal_event" type=twaReport|search callId=0  userId=a2ebd4aa-f91a-4088-8667-60143707c368|fields *|rename eventTime.$date as eventTime|eval eventTime=(eventTime/1000)|append [search index="alpha_all_careport_event" userId=a2ebd4aa-f91a-4088-8667-60143707c368|fields *|rename eventTime.$date as eventTime|eval eventTime=(eventTime/1000)|streamstats min(eventTime) as limit]|table  eventTime eventData.preLimiterSplEstimate eventData.postLimiterSplEstimate eventData.twaThreshold limit

And the data is shown below :
alt text

The limit column has just a single value min(eventTime) from one of the search queries, and its null everywhere else. I want to replace the null value of limit, with already existing single value in limit. Can someone please help me how to do this, as this is appended search I am not getting the expected results.

0 Karma

DalJeanis
Legend

try this ...

| eventstats min(limit) as limit

Although I'd probably write it more like this...

 userId="a2ebd4aa-f91a-4088-8667-60143707c368"  
(index="alpha_all_aal_event" type=twaReport callId=0  ) OR (index="alpha_all_careport_event")
| fields *
| rename eventTime.$date as eventTime
| eval eventTime=(eventTime/1000)
| eval limit=if(index="alpha_all_careport_event",eventTime,null())
| eventstats min(limit) as limit by userId 
| where index="alpha_all_aal_event"
| table eventTime eventData.preLimiterSplEstimate eventData.postLimiterSplEstimate eventData.twaThreshold limit
0 Karma

patilsh
Explorer

I tried eventstats, still the same

0 Karma

DalJeanis
Legend

@patilsh - okay, try my way then.

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...