Solved: return events with null values in an eval function

edookati · ‎12-11-2014

I am using the below query, but few events in the logs don't have service_name values. They only have operation_name. I need to include these events in the results with only the operation name. Please help me.

index=jms_logs sourcetype=perflogs | eval service_operation = service_name.".".operation_name | table service_operation | dedup service_operation | sort service_operation

thanks.

somesoni2 · ‎12-11-2014

Try this

index=jms_logs sourcetype=perflogs | eval service_operation = coalesce(service_name.".","").operation_name | stats count by service_operation | table sort service_operation

The stats will automatically remove duplicates and sort.

View solution in original post

somesoni2 · ‎12-11-2014

Try this

index=jms_logs sourcetype=perflogs | eval service_operation = coalesce(service_name.".","").operation_name | stats count by service_operation | table sort service_operation

The stats will automatically remove duplicates and sort.

edookati · ‎12-11-2014

thanks. it worked

return events with null values in an eval function

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

return events with null values in an eval function

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...