Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to display only those rows which have the fillnull values

vrmandadi
Builder
‎05-18-2018 10:22 AM

alt text
index=abc |chart sum(" Views") by "Site" ,"Event Date" | fillnull value=0

how can I display only those rows which have the fillnull value

Preview file
17 KB
0 Karma
Reply

somesoni2
Revered Legend
‎05-18-2018 10:47 AM

Give this a try

index=abc |chart sum("Views") by "Site_Section" ,"Event Date" | fillnull value=0
| eval hasZero="No" | foreach * [| eval hasZero=if("<<MATCHSTR>>"!="Site_Section" AND '<<FIELD>>'=0,"Yes",hasZero) ]
| where hasZero="Yes" | fields - hasZero
Reply

niketn
Legend
‎05-18-2018 10:30 AM

@vrmandadi, do you need the rows which have all 0s or at-least one zero for various "Event Date"?

Also if possible what is the format of "Event Date"? Can you add some sample data output for above query?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

vrmandadi
Builder
‎05-18-2018 10:35 AM

I just added an image ,and yes I need all the rows with 0s

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...