Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Top with optional field results

thrtnastrx
Observer
‎11-25-2024 01:20 PM

When I search I want to show the top results by a specific field "field1" and also show "field2" and "field3". Problem is some results don't have a "field2", but do contain the other fields. I get different results when I search if I include a "field2" in the results. Can I search and return all results weather or not "field2" exists?

| top field1 = all possible results
| top field1 field2 field3 = only results with all fields

What I want is just to show a blank line where "field2" would be on matches that don't have a "field2". Basically make "field2" optional.

Labels (2)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-25-2024 01:29 PM

Use

| fillnull field2 value=""

That will force all events with no field2 to have an empty value, rather than a null value.

That's the normal way to force potentially null fields to exist when using them in split by clauses, or top, as in your case.

Reply

thrtnastrx
Observer
‎11-25-2024 03:59 PM

Thanks for the reply but that didn't work; I should have mentioned that "field2" doesn't exist in the source data in some of the logs.   So some logs are:

field1, field2, field3, field4

and others are

field1, field3, field4,

So the header "field2" doesn't exist at all in some of the data.  I want to return result weather or not they have a "field2".

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-25-2024 06:20 PM

You did mention that field2 doesn't exist and that is exactly what fillnull will do. It will create a field in an event where there is no field for that event and it gives it the value you specify.

So when you say it didn't work, can you elaborate - what didn't work. field2 WILL be created if it does not exist in a log source where there is no field2 value, so top field1 field2 field3 field4 will not ignore results where field2 does not exist, because after fillnull, it will ALWAYS exist.

Perhaps you can show examples of the data and your SPL

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...