Did this change occur recently? Why would timechart auto fillnull my field in a timechart?
Example:
index=main | timechart count by level
RESULT:
I get a level=NULL* value in my table (Verified that there is no level=NULL in my data)
Search Inspector shows:
litsearch index=main | addinfo type=count label=prereport_events | fields keepcolorder=t "time" "level" "prestats_reserved" "psrsvd_" | prebin _time span=rtspan | fillnull value=NULL "level" | prestats count by _time level
** index=main | stats count by level
does NOT insert a fillnull on my level field.
It might not solve for the WHY but it will fix the issue. If you are not concerned with what the null's are.
index=main | timechart count by level usenull=f
If you are not concerned with what the null's are.
Yes the solution to workaround the unwanted fill nulls is to use level=* filter in the base query.
However, this is not required for stats -- and just wondering when the change to timechart occurred (to inject fillnull value=NULL automatically) or maybe I just wasn't paying attention to timechart behavior all of these years.
I've never seen nulls crop up in timechart unless there was some value, either in the data or generated by an eval producing it.
I know stats is not showing your nulls, and I think you already tried level=*. The only thing I can think of is to see if running a subsearch after the timechart (or chart) might work, with a |search level=null and see if you get a result.
search level=null returns nothing and the job inspector clearly shows that Splunk is adding:
| fillnull value=NULL "level"
This is why I suspect something has changed in recent versions -- this is version 6.3.4. I'm a long time Splunk user and this is the first time I've noticed it .. or like I said, I wasn't paying attention previously which I doubt as I've previously created workarounds for missing spans due to non-existent values.
What version of Splunk are you using? Do you get the same behaviour if you use following?
index=main level=*| timechart count by level
Yes, using level=* filter is the obvious. Question is whether this behavior changed. stats doesn't inject a fillnull -- timechart does inject a fillnull.
Version is tagged 6.3.4.
Either stats or timechart produces a table.
you said "in your table" are you using timechart to create a table of events by time? If so I think you should use | stats count by level, _time instead of timechart.
Can you try that and let us know the results?