Splunk Search

stats command to get count of NULL values

anoopambli
Communicator

I am using a DB query to get stats count of some data from 'ISSUE' column. This column also has a lot of entries which has no value in it.

something like,

ISSUE

Event log alert

Skipped count

how do i get the NULL value (which is in between the two entries also as part of the stats count. Is there any way?

Tags (1)
1 Solution

lukejadamec
Super Champion

In your search use the fillnull command and assign a value to that field when it is null, then count that value for the field.

search issue="*" | fillnull value=null issue | stats count by issue

View solution in original post

JChapp23
Loves-to-Learn Lots

Is there a way to rename the NULL to display something else?

 

0 Karma

lukejadamec
Super Champion

In your search use the fillnull command and assign a value to that field when it is null, then count that value for the field.

search issue="*" | fillnull value=null issue | stats count by issue

anoopambli
Communicator

awesome, that fixed it :slightly_smiling_face: thanks a lot.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...