Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

query when the field might not exist

afrancoi
Engager
‎12-02-2011 08:06 AM

I have two types of entries in my log

02DEC2011_16:02:18.065 22480138:5912 INFO ../src/s_ccls_storagemanager.cpp:7878 GRAIN Id=CCLS:5478193982531698702:4c067463037c0059 ReqType=GETAKBLOBS Uuid=7901790 sid=5681561375462916618

02DEC2011_16:01:44.962 20185372:4113 INFO ../src/s_ccls_storagemanager.cpp:7958 GRAIN Id=CCLS:5478192230185041938:4c0672c7037c0018 ReqType=GETAKBLOBS Uuid=2296490 hier_id=1 hier_name='GICS' mnemonic=GICS name='.GICS Sectors' sid=5681561740561350815

and I would like to do a query where I see the stats for count by mnemonic but also include the log entries without a mnemonic.

Tags (3)
Reply

rossikwan
Path Finder
‎07-31-2013 01:18 AM

Ref:
http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Fillnull

0 Karma
Reply

Ayn
Legend
‎12-02-2011 08:22 AM

Create a value for mnemonic in the case where it doesn't exist in the event:

... | fillnull value="N/A" mnemonic | stats count by mnemonic
Reply

Ayn
Legend
‎12-02-2011 08:27 AM

Glad it helped! Could you please mark my answer as accepted? Thanks!

0 Karma
Reply

afrancoi
Engager
‎12-02-2011 08:24 AM

Awesome! Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...
Top