My XML tree has null values for certain fields. I am using "table" command to display fields in a tabular format. I am having difficulty to fill null values with a value (like "not_defined"). The "fillnull" command doesn't work because it just display one single fillnull value for the entire column. My event has 4 different values for the same field.
Current query:
index=ilo sourcetype=test | search RIMP.INFRA2.ENCL=-po- | table RIMP.INFRA2.ENCL, RIMP.INFRA2.BLADES.BLADE.NAME, "RIMP.INFRA2.BLADES.BAYS.BAY{@NAME}", RIMP.INFRA2.BLADES.BLADE.SPN | sort RIMP.INFRA2.ENCL
Each enclosure has 4 blades: 1st column =enclosure, 2nd column=blade name, 3rd column=blade type
Current Output:
RIMP.INFRA2.ENCL - RIMP.INFRA2.BLADES.BLADE.NAME - RIMP.INFRA2.BLADES.BLADE.SPN
ccpesx-po-a1-p - ccpesx-po-e001-p.po.splunk.com - ProLiant BL460c Gen8
- ccpesx-po-e002-p.po.splunk.com - ProLiant BL460c Gen8
- ccpesx-po-e003-p.po.splunk.com - ProLiant BL460c Gen8
- ccpesx-po-e004-p.po.splunk.com - ProLiant BL460c Gen8
ccpesx-po-a2-p - - ProLiant BL460c Gen8
- - ProLiant BL460c Gen8
- - ProLiant BL460c Gen8
- - ProLiant BL460c Gen8
Expected output:
RIMP.INFRA2.ENCL - RIMP.INFRA2.BLADES.BLADE.NAME - RIMP.INFRA2.BLADES.BLADE.SPN
ccpesx-po-a1-p - ccpesx-po-e001-p.po.splunk.com - ProLiant BL460c Gen8
- ccpesx-po-e002-p.po.splunk.com - ProLiant BL460c Gen8
- ccpesx-po-e003-p.po.splunk.com - ProLiant BL460c Gen8
- ccpesx-po-e004-p.po.splunk.com - ProLiant BL460c Gen8
ccpesx-po-a2-p - not_defined - ProLiant BL460c Gen8
- not_defined - ProLiant BL460c Gen8
- not_defined - ProLiant BL460c Gen8
- not_defined - ProLiant BL460c Gen8
... View more