Solved: Top syntax to display null fields when using 'by'?

Tisiphone_1 · ‎06-12-2010

When I use 'top' to create a top n list of fields, and I add two fields, using by, so:

top field1 by field2

if either field is not present in a result, it does not display in the list. I want to display events in my results even the secondary field is null. Is there any way to do this?

For example:

top infected person by infection

Even if I don't know what infection it is, I still want them to show up on the list of infected people, and I still want to see the infection if it is available.

Stephen_Sorkin · ‎06-12-2010

The best way to do this is to use the fillnull command to make the desired fields dense. In this case, you could try:

... | fillnull value=NULL person infection | top person by infection

View solution in original post

Tisiphone_1 · ‎06-12-2010

Thanks a ton, Stephen!

Stephen_Sorkin · ‎06-12-2010

The best way to do this is to use the fillnull command to make the desired fields dense. In this case, you could try:

... | fillnull value=NULL person infection | top person by infection

Top syntax to display null fields when using 'by'?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation