Solved: return events with null values in an eval function

edookati · ‎12-11-2014

I am using the below query, but few events in the logs don't have service_name values. They only have operation_name. I need to include these events in the results with only the operation name. Please help me.

index=jms_logs sourcetype=perflogs | eval service_operation = service_name.".".operation_name | table service_operation | dedup service_operation | sort service_operation

thanks.

somesoni2 · ‎12-11-2014

Try this

index=jms_logs sourcetype=perflogs | eval service_operation = coalesce(service_name.".","").operation_name | stats count by service_operation | table sort service_operation

The stats will automatically remove duplicates and sort.

View solution in original post

somesoni2 · ‎12-11-2014

Try this

index=jms_logs sourcetype=perflogs | eval service_operation = coalesce(service_name.".","").operation_name | stats count by service_operation | table sort service_operation

The stats will automatically remove duplicates and sort.

edookati · ‎12-11-2014

thanks. it worked

return events with null values in an eval function

Application management with Targeted Application Install for Victoria Experience

Index This | What goes up and never comes down?

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

Join the Conversation

return events with null values in an eval function

Application management with Targeted Application Install for Victoria Experience

Index This | What goes up and never comes down?

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination