Solved: Timecharting null values

bspargur · ‎05-11-2021

Is there a way, that anyone is aware of, to timechart off of a field sumarry. I can break down the fieldsummary by timecharting first, I just end up with repeated field names with what looks like hashes appended to them, which is weird. I am trying to detrmine all the NULL fields and present them in a timecharted graph by day. Currently, without the timechart portion, this is what I have.

...| fieldsummary
| search values=*Unknown*
| rex field=values \"Unknown\"\\S\"count\":(?<null_count>\\d+)},
|eval percent_null=(null_count/count)*100
|eval Percent1=100-percent_null
|fields field Percent1 null_count

ITWhisperer · ‎05-15-2021

| gentimes start=-30 increment=1h
| rename starttime as _time 
| fields _time
| eval fielda="a".mvindex(split("ABC",""),random()%4)
| eval fieldb="b".mvindex(split("ABC",""),random()%4)
| eval fieldc="c".mvindex(split("ABC",""),random()%4)
| eval fieldd="d".mvindex(split("ABC",""),random()%4)
| eval fielde="e".mvindex(split("ABC",""),random()%4)
| eval fieldf="f".mvindex(split("ABC",""),random()%4)


| foreach *
    [| eval null_<<FIELD>>=if(isnull(<<FIELD>>),1,null)]
| timechart span=1d sum(null_*) as null_*

View solution in original post

richgalloway · ‎05-11-2021

The timechart command requires the _time field, which fieldsummary does not supply.

---
If this reply helps you, Karma would be appreciated.

bspargur · ‎05-12-2021

The _time can be used prior to the field summary command being run, I just get crazy outputs. If there is a better way to do what I am trying to do, that would work too. I am just not quite sure how to get it to work right.

richgalloway · ‎05-13-2021

Is there another way to do what? Please describe your desired output. What do you mean by "crazy outputs"? What problem are you trying to solve?

---
If this reply helps you, Karma would be appreciated.

bspargur · ‎05-14-2021

I am trying to trend NULL values over time. There are 12 fields in total. I am attempting to get it to trend by day where it shows the fields that are NULL with and the counts for those fields, in addition to a percentage of ones that were not NULL. I can provide the output I get on Monday but I think it might be better to take a step back and see if anyone has an idea for a better way to do this.

ITWhisperer · ‎05-15-2021

| gentimes start=-30 increment=1h
| rename starttime as _time 
| fields _time
| eval fielda="a".mvindex(split("ABC",""),random()%4)
| eval fieldb="b".mvindex(split("ABC",""),random()%4)
| eval fieldc="c".mvindex(split("ABC",""),random()%4)
| eval fieldd="d".mvindex(split("ABC",""),random()%4)
| eval fielde="e".mvindex(split("ABC",""),random()%4)
| eval fieldf="f".mvindex(split("ABC",""),random()%4)


| foreach *
    [| eval null_<<FIELD>>=if(isnull(<<FIELD>>),1,null)]
| timechart span=1d sum(null_*) as null_*

bspargur · ‎05-18-2021

Thank you. This is a very nice solution.

Timecharting null values

timechart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation