I am logging a number of simple on/off switches that Splunk has done a wonderful job automagically parsing. The data is timestamped, has a field name, and the value which can either be a 1 or a 0 to represent state. The data is only logged when it changes state so, if a switch is turned on, there is one line for that, and one line for it when it turns off.
My problem is, I would like to fill in the null values in a results table with their previous event value as that would represent the state the field is in until it reflects the next change.
Any suggestions? I interpret fillnull to be a static solution that isn't applicable to filling null with conditional values. If I'm wrong, please enlighten me.
arri
edit:
nick suggested I look at eventstats, in trying this I am not seeing appropriate results. I read the following in the documentation:
sourcetype=access_combined | eventstats avg(kbps) as avgkbps by host
When you run this set of commands, Splunk adds a new avgkbps field to each
sourcetype=access_combined event that includes the kbps field. The value of
avgkbps is the average kbps for that event.
What I am finding is that | eventstats last() is showing only THE last event value and using that throughout. Whereas, what I am hoping to find is something to reveal EACH last event value prior to a known value to fill in the gaps between events in the table kind of like the treatment for null values in the reporting editor allowing one to omit, connect or treat as zero; I'd like to "treat as previous". Since my data value is inherently binary, perhaps there is a simple transform I can apply.
... View more