Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Substitute a value in the search result

ppurokit
Path Finder
‎10-06-2013 04:36 AM

I have a search result which returns me the following

Username,TimeOnVPN
user1,185.25
user2,1920.25
...
...
...
user6,
user7,

sourcetype="***" | rex "Duration:\s+((?\d+)d\s)?(?\d+)h:(?\d+)m:(?\d+)s," | eval total=round(((days*1440)+(hour*60)+(min)+(sec)/60),2) *|eval total_min = if(total =="",0,total) | stats sum(total_min) as TimeOnVPN by Username

Here if you take user6 and user7 does not have a value which means like i need to substitute "0" for it. I tried the eval function which i have bolded and it's not working as expected.

Please let me know how to achieve it.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jspears
Communicator
‎10-06-2013 05:26 AM

You could try fillnull: http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Fillnull

| fillnull value=0

This will fill any existing field that is null with the value "0"

| fillnull value=0 total

This will fill only the field named "total" with "0"

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎10-06-2013 07:11 AM

You can try changing your search-eval as mentioned below:-

sourcetype="" | rex "Duration:s+((?d+)ds)?(?d+)h:(?d+)m:(?d+)s," | eval total=round(((days1440)+(hour*60)+(min)+(sec)/60),2) *|eval total_min = coalesce(total,0)** | stats sum(total_min) as TimeOnVPN by Username

Coalesce function will take first non null value from total or 0.

Reply
Solved! Jump to solution
Solution

jspears
Communicator
‎10-06-2013 05:26 AM

You could try fillnull: http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Fillnull

| fillnull value=0

This will fill any existing field that is null with the value "0"

| fillnull value=0 total

This will fill only the field named "total" with "0"

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...