Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted
Solved! Jump to solution

Top syntax to display null fields when using 'by'?

Tisiphone_1
Explorer
‎06-12-2010 06:52 PM

When I use 'top' to create a top n list of fields, and I add two fields, using by, so:

top field1 by field2

if either field is not present in a result, it does not display in the list. I want to display events in my results even the secondary field is null. Is there any way to do this?

For example:

top infected person by infection

Even if I don't know what infection it is, I still want them to show up on the list of infected people, and I still want to see the infection if it is available.

Reply
1 Solution
Highlighted
Solved! Jump to solution
Solution

Re: Top syntax to display null fields when using 'by'?

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎06-12-2010 10:27 PM

The best way to do this is to use the fillnull command to make the desired fields dense. In this case, you could try:

... | fillnull value=NULL person infection | top person by infection

View solution in original post

Reply
Highlighted
Solved! Jump to solution

Re: Top syntax to display null fields when using 'by'?

Tisiphone_1
Explorer
‎06-12-2010 10:29 PM

Thanks a ton, Stephen!

0 Karma
Reply