- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Single value return N/A instead of 0
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi. I have two field Single Value.
First is using search:
source="/var/log/online-alerts_splunk2.log" online_aname="*die*" AND NOT online_aname="*blog*error*died*" AND online_avalue>0| stats count by online_ahostname,online_aname,online_avalue | table online_ahostname online_aname online_avalue | dedup online_ahostname online_aname | stats count as lista | rangemap field=lista low=0-0 default=severe
Second is using search:
index=mail watchdog | rex field=_raw "From = \"watchdog@(?<watch>.*) " | stats count by watch | stats max(count) as lista | rangemap field=lista low=0-4 default=severe
First search when not find any result display "0" in the SingleValue field. Second search when not find any result display "N/A". Could you help me to fix it? I need value "0" in second search too.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SingleValue has a number of odd corner cases where it displays "N/A" when 0 would be better. For instance if you're using postprocess, but the base search has 0 rows, it'll say "N/A". And that's even if the postprocess is something like "stats count", where it should thus say "0".
I think what's happening here, is that there are no values of watch defined, so stats count by watch is an empty result set. You can sort of repair this by having
index=mail watchdog | rex field=_raw "From = \"watchdog@(?<watch>.*) " | fillnull watch value="no_watch_value" | stats count by watch | stats max(count) as lista | eval count=if(watch=="no_watch_value",0,count) | rangemap field=lista low=0-4 default=severe
This would mean that in the case where the 'watchless events' are the only events there, at least a 0 will make it through the whole search pipeline.
---UPDATE ------
Here is an updated search that should work even when you have no events at all matched in the initial search. I apologize but I assumed in my initial answer that you did have events returned consistently for 'index=mail watchdog', but that there was not always a 'watch' value extracted.
Anyway, here is the more robust form of the same idea. This search is resilient to the case when it matches no events at all.
index=mail watchdog | rex field=_raw "From = \"watchdog@(?<watch>.*) " | fillnull watch value="no_watch_value" | stats count by watch | stats count max(count) as lista | fillnull lista value="0" | eval count=if(watch=="no_watch_value",0,count) | rangemap field=lista low=0-4 default=severe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SingleValue has a number of odd corner cases where it displays "N/A" when 0 would be better. For instance if you're using postprocess, but the base search has 0 rows, it'll say "N/A". And that's even if the postprocess is something like "stats count", where it should thus say "0".
I think what's happening here, is that there are no values of watch defined, so stats count by watch is an empty result set. You can sort of repair this by having
index=mail watchdog | rex field=_raw "From = \"watchdog@(?<watch>.*) " | fillnull watch value="no_watch_value" | stats count by watch | stats max(count) as lista | eval count=if(watch=="no_watch_value",0,count) | rangemap field=lista low=0-4 default=severe
This would mean that in the case where the 'watchless events' are the only events there, at least a 0 will make it through the whole search pipeline.
---UPDATE ------
Here is an updated search that should work even when you have no events at all matched in the initial search. I apologize but I assumed in my initial answer that you did have events returned consistently for 'index=mail watchdog', but that there was not always a 'watch' value extracted.
Anyway, here is the more robust form of the same idea. This search is resilient to the case when it matches no events at all.
index=mail watchdog | rex field=_raw "From = \"watchdog@(?<watch>.*) " | fillnull watch value="no_watch_value" | stats count by watch | stats count max(count) as lista | fillnull lista value="0" | eval count=if(watch=="no_watch_value",0,count) | rangemap field=lista low=0-4 default=severe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your update works for me. Thank you very much! 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see. I'll update my answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In flashtimeline I get message "No results found. Inspect ..." when there are not any alerts. Code that you pasted return correct values if there are any. So it looks like "fillnull" is not working as we want. I don't understand what do you mean "Message module". Where can I find it? Regards.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you test the searches by running them in flashtimeline, do they generate a result row? One way or another SingleValue prints "N/A" either when there are zero results, or if there's been an error or search exception along the way. Make sure you have a Message module so that search exceptions are displayed, and test the search manually to make sure it's returning a row. I may well have had a typo in there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your reply. Unfortunately after replacing search by your code nothing has changed. Any other ideas? :<
Video | Welcome Back to Smartness, Pedro
Detector Best Practices: Static Thresholds
Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...
