Solved: while using chart i see null value and that partic...

vikashperiwal · ‎07-29-2020

HI,

While use chart command i am getting null values for status in search and the same in dashboard i do not see in the panel. I am trying to get distinct count of run_id for each values(col1,col2,col,3...)

This i am seng in the search head.

Name	col1	col2	col3	col4
abc123	21	40
xyz789	35	50

In Dashboard, panel shows below table missing with col3 ans col4

ID	col1	col2
abc123	21	40
xyz789	35	50

Search Query:

index=xyz sourcetype=abc event_name=test earliest=@d
| fields - _raw
| eval TIME=strftime(strptime(timestamp,"%Y.%m.%d"),"%F")
| fields app_name event_name TIME values Id
| search name=* values="col1" OR values="col2" OR values="col3" OR values="col4"
| chart dc(run_Id) OVER name by values
| fields "APP NAME" col1 col2 col3 col4

And also i want to add one new column:

some thing count(Id) as ID_Count by time

I tried usenull, useother, fillnull, none worked.

vikashperiwal · ‎07-31-2020

could get ths done by adding fillnull value = 0 field1 field 2. at the end of query

View solution in original post

richgalloway · ‎07-29-2020

If the values field has only 2 distinct values then only two will have data.
Your dashboard must be using a different query because the output is different ("ID" instead of "APP NAME").

---
If this reply helps you, Karma would be appreciated.

vikashperiwal · ‎07-31-2020

could get ths done by adding fillnull value = 0 field1 field 2. at the end of query

while using chart i see null value and that particular col is not visible in dashboard

chart

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?