Splunk Search

fillnull not working

logloganathan
Motivator

I have a query
base query | stats count by ABC | fillnull

but i am getting "no result"

instead of this, i want to display ABC count as "zero"

Tags (1)
0 Karma
1 Solution

kmaron
Motivator

Try this - from here: https://answers.splunk.com/answers/467823/if-there-are-no-results-found-how-do-i-get-my-sear.html

base query | stats count by ABC
 | appendpipe [ stats count | eval "NoResults"="0"  | where count=0 |table "NoResults"]

View solution in original post

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Try this

base query 
| append [|makeresults | eval count=""]
| stats count by ABC
|eval count=if(isnotnull(count),0,'count')
0 Karma

logloganathan
Motivator

Thanks for your help..still same result when i use this query

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Works on mine..

0 Karma

kmaron
Motivator

Try this - from here: https://answers.splunk.com/answers/467823/if-there-are-no-results-found-how-do-i-get-my-sear.html

base query | stats count by ABC
 | appendpipe [ stats count | eval "NoResults"="0"  | where count=0 |table "NoResults"]
0 Karma

logloganathan
Motivator

Awesome...i tried this query and its working fine..

0 Karma

FrankVl
Ultra Champion

I don't entirely follow what you're trying to achieve, but the purpose of fillnull is to populate empty fields with a null value, not to generate results when there are none. When the stats command returns 0 results, there is nothing to apply "fillnull" on.

If you can elaborate a bit more what you want to achieve (and if possible show some sample data and expected outcomes) we can try and help you find a solution that does work.

0 Karma

logloganathan
Motivator

stats command displaying "no result found" but i need value zero to be displayed

0 Karma

p_gurav
Champion

can you try :

 | stats count AS abc_count by ABC | fillnull abc_count value=0
0 Karma

logloganathan
Motivator

still i am getting the same result

0 Karma

p_gurav
Champion

logloganathan
Motivator

yes..could you please modify and provide the query

0 Karma

p_gurav
Champion

Can you share whole query? Is ABC field exist?

logloganathan
Motivator

yes..it exist..please consider ABC is name of error

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...