Splunk Search
Highlighted

question on stats and blank values

Builder

i have a table like below.
cola:colb:colc:cold
1::2:3:
::::
1:2:3:4

when i do a stats , i only get non-null values
is it possible to show null values in the form of table and eval them to 0...

0 Karma
Highlighted

Re: question on stats and blank values

Ultra Champion

How about fillnull ?

Highlighted

Re: question on stats and blank values

Builder

will try this...

0 Karma
Highlighted

Re: question on stats and blank values

SplunkTrust
SplunkTrust

It depends on your stats.

This returms all the values, regardless of null:

<base search>
| fields cola colb colc cold
| stats values(*) as *

<output>
cola colb colc cold
1    2    3    4

This returns only the values where cold is not null:

<base search>
| fields cola colb colc cold
| stats values(*) as * by cold

<output>
cold
4

The important thing about the by clause in the stats is that it will omit any log events where the fields in that by clause are null, so if you had 2 fields both must be populated for results to be returned, if one of the fields in the by clause is null that log event will not be present in your result set.

If you do the fillnull as per the other suggestion you would get this:

<base search>
| fillnull value="0"
| fields cola colb colc cold
| stats values(*) as *

<output>
cola colb colc cold
0    0    0    0
1    2    3    4

So really, the point is, what do you want the data to look like at the end, what is it you're trying to ask, what is the story you're trying to tell?

0 Karma
Highlighted

Re: question on stats and blank values

SplunkTrust
SplunkTrust

also, post your current spl to get better help 🙂

0 Karma
Highlighted

Re: question on stats and blank values

Builder

fillnull works for me, unfortunately i can mark only 1 answers are "Accept". both your answers were correct..

0 Karma
Highlighted

Re: question on stats and blank values

Builder

Thanks for responding . My situation is really the "by" one.. ( | stats values(*) as * by cold)

when i do the stats by, i lose anything that had null value.
but we want to see those null ones and they should have value=0

we are looking at non-compliant numbers and null basically means there are none , so its a good situation, but we are not seeing it in stats.

so instead of dissapearing , they should show as 0.
will that be possible if i do fillnull value=0 for all the fields before i do a stat by ?
would this made the stats by to show everything....

0 Karma
Highlighted

Re: question on stats and blank values

Ultra Champion
index=yourIndex 
| fillnull cola colb colc cold
| rest_your_search

try, simply.

View solution in original post

0 Karma
Highlighted

Re: question on stats and blank values

Builder

fillnull works for me.. thanks..

0 Karma