Solved: return events with null values in an eval function

edookati · ‎12-11-2014

I am using the below query, but few events in the logs don't have service_name values. They only have operation_name. I need to include these events in the results with only the operation name. Please help me.

index=jms_logs sourcetype=perflogs | eval service_operation = service_name.".".operation_name | table service_operation | dedup service_operation | sort service_operation

thanks.

somesoni2 · ‎12-11-2014

Try this

index=jms_logs sourcetype=perflogs | eval service_operation = coalesce(service_name.".","").operation_name | stats count by service_operation | table sort service_operation

The stats will automatically remove duplicates and sort.

View solution in original post

somesoni2 · ‎12-11-2014

Try this

index=jms_logs sourcetype=perflogs | eval service_operation = coalesce(service_name.".","").operation_name | stats count by service_operation | table sort service_operation

The stats will automatically remove duplicates and sort.

edookati · ‎12-11-2014

thanks. it worked

return events with null values in an eval function

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Join the Conversation