Splunk ITSI

ITSI distinct count KPI: 0 vs. NULL values?

curtismcginity
Explorer

I have simple KPI giving a distinct count of a USER_ID field. Assume USER_ID exists for 100% of logged events. Within ITSI, the KPI is configured to "fill gaps in data" with NULL values and an Unknown threshold level.

During a time when no events were logged, the KPI maintained a 0 value (not the NULL value). Is this a bug, or some kind of expected behavior? Any suggestions on a workaround?

RickvdIJ
Explorer

Hi,

If you do a (distinct)count of something and there are no matching events, the result is 0.
This is expected behavior imho.

The resulting search is: | stats dc(USER_ID).

Perhaps you can create a counter field, where the result of an existing field is 0 or more. And without events this field will not be there?
eval counterfield=if(USER_ID=="",1,0)

curtismcginity
Explorer

If you do a (distinct)count of something and there are no matching events, the result is 0.
This is expected behavior imho.

Actually there's a very important distinction to make here. Suppose I ask you, "How many balls are inside the box in the next room?" Consider two scenarios:

  1. You walk into the next room, see the box, look inside, and see nothing. 
  2. You walk into the next room and see nothing. No box, no balls; nothing.

These are clearly not the same scenario, and so I would expect different behavior imho. Intuitively, a human would likely respond along the lines of

  1. "Zero!"
  2. "Uhm... there is no box!"

The fundamental issue is that any feasible response to a question implicitly validates the premise(s) of the question. In case 2, we need Splunk to return a result indicating our premise is false. Indeed, the "null value" config exists, at least in part, to make this distinction... assuming it works 😉

logankinman99
Path Finder

I have the exact opposite problem (but the same).
I have it set to show custom value 0 but it just shows Null.

0 Karma

RickvdIJ
Explorer

I have the same issue. I want to continue with the latest available value but the result is 0. If you run, investigate and expand the generated search you see ITSI is performing a: | stats dc(USER_ID) and with a macro it stores the result in a cache.

Statistically, a result of no occurences will result in the value 0.
I'm trying with streamstats, latest/earliest and such but no luck yet.

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@curtismcginity - I think if you set that to NULL value it shows the discontinued chart.

0 Karma
Get Updates on the Splunk Community!

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...