Solved: makemv and mvexpand empty results not showing

yasaracar · ‎10-16-2015

I need to see which questions a user answered. It is a multiple value field. Possible values:

question="1" or question="1,3" or question="" ....

I want to create a chart. My search is:

makemv delim="," question| mvexpand question| eval question= case(question==1, "Question-1", question==2,"Question-2", question==3,"Question-3",question=="","Not Filled") | chart  count by question

But it doesn't show the results for empty string "" value. Does anybody know a way to do that?

Cheers!

HiroshiSatoh · ‎10-16-2015

I think that where the value is gone.

|makemv delim="," question| mvexpand question

Try this!

|eval question=if(question=="",",",question)|makemv allowempty=true delim="," question| mvexpand question|

View solution in original post

HiroshiSatoh · ‎10-16-2015

I think that where the value is gone.

|makemv delim="," question| mvexpand question

Try this!

|eval question=if(question=="",",",question)|makemv allowempty=true delim="," question| mvexpand question|

yasaracar · ‎10-19-2015

Thanks! "eval if" was the key point to solve the problem.

The final query that works:

|eval question=if(question=="","Not Filled",question) |makemv allowempty=true delim="," question| mvexpand question | eval question= case(question==1, "Question-1", question==2,"Question-2", question==3,"Question-3",question=="Not Filled","Not Filled") | chart  count by question

makemv and mvexpand empty results not showing

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?