Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

fill in 0 when there is no data

mcohen13
Loves-to-Learn
‎06-11-2018 01:43 AM

i have an index that calc amount of events for a specific domain name
this index have 3 fields: date,domain_name, event_count
if a domain have no event_count for a specific date than i don't have that record in the index
can i manipulate splunk into thinking that on missing dates for the last month the value was 0 (besides adding this data to the file)?

Tags (1)
0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎06-11-2018 07:29 AM

Yes, you can use | makeresults in your search to create that missing data then create some conditional logic to fill null values OR leave it as-is. Here's an example 

| makeresults | eval domain_name=""
| [search index=.... <YOUR SEARCH>]
| eval domain_name=if(isnull(domain_name),"0",'domain_name')
0 Karma
Reply

mcohen13
Loves-to-Learn
‎06-11-2018 09:14 AM

i get this error:
"Error in 'SearchParser': Subsearches are only valid as arguments to commands. Error at position '31' of search query '| makeresults | eval info="" | [search index="doma'."
The query:
| makeresults | eval info="" | [search index="domain_event_agg_info" event_domain="XXXX.YYY."] | eval info=if(isnull(event_count),"0",'event_count')

0 Karma
Reply

jlvix1
Communicator
‎06-11-2018 06:51 AM

Where are the events coming from that are in this index? Sounds to me like the data source itself is at fault and you're missing events, leaving you with gaping holes in your data because you should be getting zero-based events.

0 Karma
Reply

poete
Builder
‎06-11-2018 01:47 AM

Hi,

I think this is what you are looking for:
https://docs.splunk.com/Documentation/Splunk/7.1.0/SearchReference/Fillnull

0 Karma
Reply

mcohen13
Loves-to-Learn
‎06-11-2018 02:04 AM

fillnull will not to the job
because i don't have null values in that field for a specific date
i have no values for that date

for example :
Query:
index="someindex" "domain"="domain_x" ] | chart max(event_count) over date
data:
date domain_x
2018-06-02 128
2018-06-03 623
2018-06-04 331

now i want to add that on other dates of the last month the value was 0 so i can call

0 Karma
Reply

niketn
Legend
‎06-11-2018 04:19 AM

@mcohen13, As far as your date field is having epoch time and not string time, fillnull should work. If it is string time then you either need to convert it to epoch using strptime() or use _time with span=1d instead.

Following is a run anywhere search based on Splunk's _internal index similar to your question (instead of 1d I have used 1h, to form more buckets).

index="_internal" "sourcetype"="splunkd" log_level=INFO
| chart span=1h max(cpu_seconds) as MaxValue over _time
| fillnull value=0 MaxValue

I have give max(cpu_seconds) an alias MaxValue and used fillnull for MaxValue. You can try without final fillnull command to see if Null Values are actually present or not.

Also, if you are plotting the result in chart, in the Chart Configuration Options i.e. Edit UI Panel and Format Visualization to change the Null Value to Zero to have similar efffect directly in chart (without using fillnull command).

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

jlvix1
Communicator
‎06-11-2018 06:49 AM

I thought fillnull is only good for charting? He never said he was charting, I think he needs to put in a whole record for that entry he is missing...

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...