My Splunk query, which I included below, generates a table, which appears as follows. The issue that I'm trying to resolve is being able to populate non-existent values with "No Data", as shown in th...
See more...
My Splunk query, which I included below, generates a table, which appears as follows. The issue that I'm trying to resolve is being able to populate non-existent values with "No Data", as shown in the 2020-08-11 column. There are other date columns with non-existent values (note, these are not just null values, which have been set to filnull value = 0. These are non-existent values.) Can someone provide some assistance on how to do this? I have used fillnull and filldown, but have not been successful. I have also tried eval statements setting the parameter to null. Service ID Resource Name Transaction Name Priority Service Area Consumer 2020-08-12 2020-08-11 2020-08-10 2020-08-09 ID1 GET Transaction1 1 Area1 App1 3 4 0 ID2 PUT Transaction2 2 Area2 App2 8 2 5 index=test_index_1 sourcetype=test_sourcetype_2 | eval epoch_Timestamp=strptime(Timestamp, "%Y-%m-%dT%H:%M:%S.%3QZ")-14400 | rename "Transaction Name" as trans_name, "Application Name" as application_name, "Status Code" as status_code | eval service_id=case(Verb="GET" AND trans_name="Transaction1" AND application_name="APP1", "ID1", Verb="GET" AND trans_name="Transaction2" AND application_name="App2", "ID2", Verb="PUT" AND trans_name="Transaction2" AND application_name="App2", "ID3", 1=1, "Unqualified") | where service_id!="Unqualified" | eval Priority=case(Verb="GET" AND trans_name="Transaction1" AND application_name="APP1", "2", Verb="GET" AND trans_name="Transaction2" AND application_name="App2", "2", Verb="PUT" AND trans_name="Transaction2" AND application_name="App2", "1", 1=1, "Unqualified") | where Priority!="Unqualified" | eval service_area=case(Verb="GET" AND trans_name="Transaction1" AND application_name="APP1", "Area1", Verb="GET" AND trans_name="Transaction2" AND application_name="App2", "Area2", Verb="PUT" AND trans_name="Transaction2" AND application_name="App2", "Member", 1=1, "Unqualified") | where service_area!="Unqualified" | eval date_reference=strftime(epoch_Timestamp, "%Y-%m-%d") | stats count(eval(status_code)) as count by service_id, Verb, trans_name, Priority, service_area, application_name, date_reference | eval combined=service_id."@".Verb."@".trans_name."@".Priority."@".service_area."@".application_name."@" | xyseries combined date_reference count | rex field=combined "^(?<service_id>[^\@]+)\@(?<Verb>[^\@]+)\@(?<trans_name>[^\@]+)\@(?<Priority>[^\@]+)\@(?<service_area>[^\@]+)\@(?<application_name>[^\@]+)\@$" | fillnull value="0" | table service_id, Verb, trans_name, Priority, service_area, application_name [ makeresults | addinfo | eval time = mvappend(relative_time(info_min_time,"@d"),relative_time(info_max_time,"@d")) | fields time | mvexpand time | makecontinuous time span=1d | eval time=strftime(time,"%F") | reverse | stats list(time) as time | return $time ] | rename service_id as "Service ID", Verb as "Resource Name", trans_name as "Transaction Name", Priority as "Priority", service_area as "Service Area", application_name as "Consumer"