Splunk Search

Timecharting null values

bspargur
Engager

Is there a way, that anyone is aware of, to timechart off of a field sumarry. I can break down the fieldsummary by timecharting first, I just end up with repeated field names with what looks like hashes appended to them, which is weird. I am trying to detrmine all the NULL fields and present them in a timecharted graph by day. Currently, without the timechart portion, this is what I have. 

 

...| fieldsummary
| search values=*Unknown*
| rex field=values \"Unknown\"\\S\"count\":(?<null_count>\\d+)},
|eval percent_null=(null_count/count)*100
|eval Percent1=100-percent_null
|fields field Percent1 null_count

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| gentimes start=-30 increment=1h
| rename starttime as _time 
| fields _time
| eval fielda="a".mvindex(split("ABC",""),random()%4)
| eval fieldb="b".mvindex(split("ABC",""),random()%4)
| eval fieldc="c".mvindex(split("ABC",""),random()%4)
| eval fieldd="d".mvindex(split("ABC",""),random()%4)
| eval fielde="e".mvindex(split("ABC",""),random()%4)
| eval fieldf="f".mvindex(split("ABC",""),random()%4)


| foreach *
    [| eval null_<<FIELD>>=if(isnull(<<FIELD>>),1,null)]
| timechart span=1d sum(null_*) as null_*

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The timechart command requires the _time field, which fieldsummary does not supply.

---
If this reply helps you, Karma would be appreciated.
0 Karma

bspargur
Engager

The _time can be used prior to the field summary command being run, I just get crazy outputs. If there is a better way to do what I am trying to do, that would work too. I am just not quite sure how to get it to work right.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Is there another way to do what?  Please describe your desired output.  What do you mean by "crazy outputs"?  What problem are you trying to solve?

---
If this reply helps you, Karma would be appreciated.
0 Karma

bspargur
Engager

I am trying to trend NULL values over time. There are 12 fields in total. I am attempting to get it to trend by day where it shows the fields that are NULL with and the counts for those fields, in addition to a percentage of ones that were not NULL. I can provide the output I get on Monday but I think it might be better to take a step back and see if anyone has an idea for a better way to do this.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| gentimes start=-30 increment=1h
| rename starttime as _time 
| fields _time
| eval fielda="a".mvindex(split("ABC",""),random()%4)
| eval fieldb="b".mvindex(split("ABC",""),random()%4)
| eval fieldc="c".mvindex(split("ABC",""),random()%4)
| eval fieldd="d".mvindex(split("ABC",""),random()%4)
| eval fielde="e".mvindex(split("ABC",""),random()%4)
| eval fieldf="f".mvindex(split("ABC",""),random()%4)


| foreach *
    [| eval null_<<FIELD>>=if(isnull(<<FIELD>>),1,null)]
| timechart span=1d sum(null_*) as null_*
0 Karma

bspargur
Engager

Thank you. This is a very nice solution. 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...