Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Top with optional field results

thrtnastrx
Observer
‎11-25-2024 01:20 PM

When I search I want to show the top results by a specific field "field1" and also show "field2" and "field3". Problem is some results don't have a "field2", but do contain the other fields. I get different results when I search if I include a "field2" in the results. Can I search and return all results weather or not "field2" exists?

| top field1 = all possible results
| top field1 field2 field3 = only results with all fields

What I want is just to show a blank line where "field2" would be on matches that don't have a "field2". Basically make "field2" optional.

Labels (2)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-25-2024 01:29 PM

Use

| fillnull field2 value=""

That will force all events with no field2 to have an empty value, rather than a null value.

That's the normal way to force potentially null fields to exist when using them in split by clauses, or top, as in your case.

Reply

thrtnastrx
Observer
‎11-25-2024 03:59 PM

Thanks for the reply but that didn't work; I should have mentioned that "field2" doesn't exist in the source data in some of the logs.   So some logs are:

field1, field2, field3, field4

and others are

field1, field3, field4,

So the header "field2" doesn't exist at all in some of the data.  I want to return result weather or not they have a "field2".

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-25-2024 06:20 PM

You did mention that field2 doesn't exist and that is exactly what fillnull will do. It will create a field in an event where there is no field for that event and it gives it the value you specify.

So when you say it didn't work, can you elaborate - what didn't work. field2 WILL be created if it does not exist in a log source where there is no field2 value, so top field1 field2 field3 field4 will not ignore results where field2 does not exist, because after fillnull, it will ALWAYS exist.

Perhaps you can show examples of the data and your SPL

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...