Splunk Search

makemv and mvexpand empty results not showing

yasaracar
Explorer

I need to see which questions a user answered. It is a multiple value field. Possible values:

question="1" or question="1,3" or question="" ....

I want to create a chart. My search is:

makemv delim="," question| mvexpand question| eval question= case(question==1, "Question-1", question==2,"Question-2", question==3,"Question-3",question=="","Not Filled") | chart  count by question

But it doesn't show the results for empty string "" value. Does anybody know a way to do that?

Cheers!

0 Karma
1 Solution

HiroshiSatoh
Champion

I think that where the value is gone.

|makemv delim="," question| mvexpand question

Try this!

|eval question=if(question=="",",",question)|makemv allowempty=true delim="," question| mvexpand question|

View solution in original post

HiroshiSatoh
Champion

I think that where the value is gone.

|makemv delim="," question| mvexpand question

Try this!

|eval question=if(question=="",",",question)|makemv allowempty=true delim="," question| mvexpand question|

yasaracar
Explorer

Thanks! "eval if" was the key point to solve the problem.

The final query that works:

|eval question=if(question=="","Not Filled",question) |makemv allowempty=true delim="," question| mvexpand question | eval question= case(question==1, "Question-1", question==2,"Question-2", question==3,"Question-3",question=="Not Filled","Not Filled") | chart  count by question
0 Karma
Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...