×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
praveenmallu
New Member
Member since: ‎11-11-2021
‎11-11-2021
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎11-11-2021
View All

Re: Events with extracted field which is NULL are ...

by in Dashboards & Visualizations
‎11-11-2021 12:21 PM
‎11-11-2021 12:21 PM
Thanks for the response @ITWhisperer , However, both  index=<index> sourcetype=log4j host=$host$ <Extracted field>=* | timechart span=1m count by <Extracted field> index=<index> sourcetype=log4j host=$host$ <Extracted field>!=NULL | timechart span=1m count by <Extracted field> are giving me same results and not adding up to all incoming transactions/events. ... View more

Events with extracted field which is NULL are not ...

by in Dashboards & Visualizations
‎11-11-2021 10:00 AM
‎11-11-2021 10:00 AM
I am looking it a weird issue where I am trying to fix one of the panels in a dashboard, The panel has a query like below index=<index> sourcetype=log4j host=$host$  <Extracted field> != NULL | timechart span=1m count by <Extracted field> issue is we are getting inaccurate counts as this part "<Extracted field> != NULL"  in the above query is filtering out majority of the events, and when we are trying to see which events are filtered by using "<Extracted field> = NULL" we are not seeing any events. How does splunk treat extracted fields which are NULL or in what situations these fields end up as NULL. Any suggestions for the above issue? Thanks in advance! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎11-11-2021 09:19 PM