Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

query when the field might not exist

afrancoi
Engager
‎12-02-2011 08:06 AM

I have two types of entries in my log

02DEC2011_16:02:18.065 22480138:5912 INFO ../src/s_ccls_storagemanager.cpp:7878 GRAIN Id=CCLS:5478193982531698702:4c067463037c0059 ReqType=GETAKBLOBS Uuid=7901790 sid=5681561375462916618

02DEC2011_16:01:44.962 20185372:4113 INFO ../src/s_ccls_storagemanager.cpp:7958 GRAIN Id=CCLS:5478192230185041938:4c0672c7037c0018 ReqType=GETAKBLOBS Uuid=2296490 hier_id=1 hier_name='GICS' mnemonic=GICS name='.GICS Sectors' sid=5681561740561350815

and I would like to do a query where I see the stats for count by mnemonic but also include the log entries without a mnemonic.

Tags (3)
Reply

rossikwan
Path Finder
‎07-31-2013 01:18 AM

Ref:
http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Fillnull

0 Karma
Reply

Ayn
Legend
‎12-02-2011 08:22 AM

Create a value for mnemonic in the case where it doesn't exist in the event:

... | fillnull value="N/A" mnemonic | stats count by mnemonic
Reply

Ayn
Legend
‎12-02-2011 08:27 AM

Glad it helped! Could you please mark my answer as accepted? Thanks!

0 Karma
Reply

afrancoi
Engager
‎12-02-2011 08:24 AM

Awesome! Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...