It depends on your stats.
This returms all the values, regardless of null:
<base search> | fields cola colb colc cold | stats values(*) as * <output> cola colb colc cold 1 2 3 4
This returns only the values where cold is not null:
<base search> | fields cola colb colc cold | stats values(*) as * by cold <output> cold 4
The important thing about the
by clause in the stats is that it will omit any log events where the fields in that by clause are null, so if you had 2 fields both must be populated for results to be returned, if one of the fields in the by clause is null that log event will not be present in your result set.
If you do the
fillnull as per the other suggestion you would get this:
<base search> | fillnull value="0" | fields cola colb colc cold | stats values(*) as * <output> cola colb colc cold 0 0 0 0 1 2 3 4
So really, the point is, what do you want the data to look like at the end, what is it you're trying to ask, what is the story you're trying to tell?
Thanks for responding . My situation is really the "by" one.. ( | stats values(*) as * by cold)
when i do the stats by, i lose anything that had null value.
but we want to see those null ones and they should have value=0
we are looking at non-compliant numbers and null basically means there are none , so its a good situation, but we are not seeing it in stats.
so instead of dissapearing , they should show as 0.
will that be possible if i do fillnull value=0 for all the fields before i do a stat by ?
would this made the stats by to show everything....