Splunk Search

while using chart i see null value and that particular col is not visible in dashboard

vikashperiwal
Path Finder

HI,

While use chart command i am getting null values for status in search and the same in dashboard i do not see in the panel. I am trying to get distinct count of run_id for each values(col1,col2,col,3...) 

This i am seng in the search head.

Name col1 col2 col3 col4
abc123 21 40    
xyz789 35 50    

 

In Dashboard, panel shows below table missing with col3 ans col4

ID col1 col2
abc123 21 40
xyz789 35 50

 

 

Search Query:

index=xyz sourcetype=abc event_name=test earliest=@d
| fields - _raw
| eval TIME=strftime(strptime(timestamp,"%Y.%m.%d"),"%F")
| fields app_name event_name TIME  values Id
| search name=* values="col1" OR values="col2" OR values="col3" OR values="col4"
| chart dc(run_Id) OVER name  by values 
| fields "APP NAME" col1 col2 col3 col4 

 

And also i want to add one new column:

some thing count(Id) as ID_Count by time

 

I tried usenull, useother, fillnull, none worked.

Labels (1)
Tags (3)
0 Karma
1 Solution

vikashperiwal
Path Finder

could get ths done by adding fillnull value = 0 field1 field 2. at the end of query 

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust
If the values field has only 2 distinct values then only two will have data.
Your dashboard must be using a different query because the output is different ("ID" instead of "APP NAME").
---
If this reply helps you, an upvote would be appreciated.
0 Karma

vikashperiwal
Path Finder

could get ths done by adding fillnull value = 0 field1 field 2. at the end of query 

View solution in original post

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!