Splunk Search

Why does Splunk auto fillnull my timechart?

the_wolverine
Champion

Did this change occur recently? Why would timechart auto fillnull my field in a timechart?

Example:
index=main | timechart count by level

RESULT:
I get a level=NULL* value in my table (Verified that there is no level=NULL in my data)

Search Inspector shows:
litsearch index=main | addinfo type=count label=prereport_events | fields keepcolorder=t "time" "level" "prestats_reserved" "psrsvd_" | prebin _time span=rtspan | fillnull value=NULL "level" | prestats count by _time level

** index=main | stats count by level
does NOT insert a fillnull on my level field.

0 Karma

JDukeSplunk
Builder

It might not solve for the WHY but it will fix the issue. If you are not concerned with what the null's are.

index=main | timechart count by level usenull=f

If you are not concerned with what the null's are.

0 Karma

the_wolverine
Champion

Yes the solution to workaround the unwanted fill nulls is to use level=* filter in the base query.

However, this is not required for stats -- and just wondering when the change to timechart occurred (to inject fillnull value=NULL automatically) or maybe I just wasn't paying attention to timechart behavior all of these years.

0 Karma

JDukeSplunk
Builder

I've never seen nulls crop up in timechart unless there was some value, either in the data or generated by an eval producing it.

I know stats is not showing your nulls, and I think you already tried level=*. The only thing I can think of is to see if running a subsearch after the timechart (or chart) might work, with a |search level=null and see if you get a result.

0 Karma

the_wolverine
Champion

search level=null returns nothing and the job inspector clearly shows that Splunk is adding:

| fillnull value=NULL "level"

This is why I suspect something has changed in recent versions -- this is version 6.3.4. I'm a long time Splunk user and this is the first time I've noticed it .. or like I said, I wasn't paying attention previously which I doubt as I've previously created workarounds for missing spans due to non-existent values.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

What version of Splunk are you using? Do you get the same behaviour if you use following?

index=main level=*| timechart count by level
0 Karma

the_wolverine
Champion

Yes, using level=* filter is the obvious. Question is whether this behavior changed. stats doesn't inject a fillnull -- timechart does inject a fillnull.

Version is tagged 6.3.4.

Either stats or timechart produces a table.

0 Karma

jkat54
SplunkTrust
SplunkTrust

you said "in your table" are you using timechart to create a table of events by time? If so I think you should use | stats count by level, _time instead of timechart.

Can you try that and let us know the results?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...