Splunk Search

Replace no value with "0" (zero)

Hi all,

Since a few days I am in a battle regarding the following and I am on the loosing edge here. So all help is wanted of course.

Instead of "no result found" in the graph area, I want to have a visual but in that case all "0".

My query is as follows:

index=index host=test 
| rex field=_raw "(?ms)^(?:[^ \\n]* ){6}(?P<SyslogMessage>[^:]+)(?:[^ \\n]* ){7}(?P<src_ip>[^ ]+) to (?P<dest_ip>[^ ]+)"  
| eval msg = if(match(SyslogMessage,"%ABC-1-*"),"alert", if(match(SyslogMessage,"%ABC-2-*"),"critical","Other"))
| Search NOT msg="other"
| timechart span=360s count(msg) as cnt, first(BaseLine) as Baseline by msg
| eval BaseLine=8

I tried several options such as before the last |eval BaseLine=8:

| fillnull value=0 cnt

Looking for some magic.

S

Tags (2)
0 Karma

SplunkTrust
SplunkTrust
|  timechart span=360s count(msg) as cnt, first(BaseLine) as Baseline by msg

please provide the results.

_time cnt: alert cnt: critical cnt: other Baseline: alert Baseline: critical Baseline: other

Is this?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!