Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

query when the field might not exist

afrancoi
Engager
‎12-02-2011 08:06 AM

I have two types of entries in my log

02DEC2011_16:02:18.065 22480138:5912 INFO ../src/s_ccls_storagemanager.cpp:7878 GRAIN Id=CCLS:5478193982531698702:4c067463037c0059 ReqType=GETAKBLOBS Uuid=7901790 sid=5681561375462916618

02DEC2011_16:01:44.962 20185372:4113 INFO ../src/s_ccls_storagemanager.cpp:7958 GRAIN Id=CCLS:5478192230185041938:4c0672c7037c0018 ReqType=GETAKBLOBS Uuid=2296490 hier_id=1 hier_name='GICS' mnemonic=GICS name='.GICS Sectors' sid=5681561740561350815

and I would like to do a query where I see the stats for count by mnemonic but also include the log entries without a mnemonic.

Tags (3)
Reply

rossikwan
Path Finder
‎07-31-2013 01:18 AM

Ref:
http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Fillnull

0 Karma
Reply

Ayn
Legend
‎12-02-2011 08:22 AM

Create a value for mnemonic in the case where it doesn't exist in the event:

... | fillnull value="N/A" mnemonic | stats count by mnemonic
Reply

Ayn
Legend
‎12-02-2011 08:27 AM

Glad it helped! Could you please mark my answer as accepted? Thanks!

0 Karma
Reply

afrancoi
Engager
‎12-02-2011 08:24 AM

Awesome! Thanks!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...