Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Show a 0 if no data on a source

Rajaion
Path Finder
‎12-05-2023 05:58 AM

Hello community,

I'm having a problem that's probably easy to solve, but I can't figure it out.

I have a query that will query an index that contains alerts from Splunk OnCall. And I count each alert source (via the associated routingkey from OnCall) and its status (Acknowledged or not).

`victorops_incidents`  | sort lastAlertTime desc | dedup incidentNumber | fields * | search org="*" routingKey=** pagedPolicies{}.policy.name!=0_Reroute_alertes currentPhase!=RESOLVED
| eval currentPhase=case(like(currentPhase, "%UNACKED%"), "Non acquitté", like(currentPhase, "%ACKED%"), "En cours") 
| eval routingKey=case(like(routingKey, "%routingcontrol-m%"), "Control-M", like(routingKey, "%dyn%"), "Dynatrace", like(routingKey, "%centreon%"), "Centreon", like(routingKey, "%servicepilot%"), "ServicePilot", like(routingKey, "%p_1%"), "P1")
| rename currentPhase as Etat, routingKey as Source
| chart count by Etat, Source
| sort - Etat


I have an almost perfect table which summarizes everything but I am missing some information: I sometimes have a source which has not generated any alert so it is absent from the table (in the screen below, I have the sources "Control-M", "Dynatrace" and "ServicePilot" but I am missing "Centreon" because the latter did not have any incidents in the period of time) :

Rajaion_0-1701784707699.png

My question is the following: how to make all the sources appear but display 0 when they have not had any alerts?

Best regards,

Rajaion

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-05-2023 08:10 AM

Try like this

| table Etat, "Control-M", "Dynatrace", "ServicePilot", "Centreon"
| fillnull value=0 "Control-M", "Dynatrace", "ServicePilot", "Centreon"

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-05-2023 06:08 AM

Try something like this

| table Etat, "Control-M", "Dynatrace", "ServicePilot", "Centreon"
| fillnull value=0
0 Karma
Reply
Solved! Jump to solution

Rajaion
Path Finder
‎12-05-2023 07:58 AM

Hi @ITWhisperer,

Thank you for your help, I have my source "Centreon" but it does not display 0 yet. I had already tried the "fillnull" but poorly because it created extra fields.

Rajaion_0-1701791257646.png

Best Regards,

Rajaion

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-05-2023 08:10 AM

Try like this

| table Etat, "Control-M", "Dynatrace", "ServicePilot", "Centreon"
| fillnull value=0 "Control-M", "Dynatrace", "ServicePilot", "Centreon"
Reply
Solved! Jump to solution

Rajaion
Path Finder
‎12-05-2023 08:13 AM

I just saw your new message, it works even better and it's cleaner.
Thank you for your help !

Rajaion_0-1701792781806.png

 

0 Karma
Reply
Solved! Jump to solution

Rajaion
Path Finder
‎12-05-2023 08:11 AM

By manually setting for a source, it works, even if it is not optimal.

| eval "Centreon"=if(isnull(Centreon),0,'Centreon')

 

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...
Top