I have simple KPI giving a distinct count of a USER_ID field. Assume USER_ID exists for 100% of logged events. Within ITSI, the KPI is configured to "fill gaps in data" with NULL values and an Unknown threshold level.
During a time when no events were logged, the KPI maintained a 0 value (not the NULL value). Is this a bug, or some kind of expected behavior? Any suggestions on a workaround?
Hi,
If you do a (distinct)count of something and there are no matching events, the result is 0.
This is expected behavior imho.
The resulting search is: | stats dc(USER_ID).
Perhaps you can create a counter field, where the result of an existing field is 0 or more. And without events this field will not be there?
eval counterfield=if(USER_ID=="",1,0)
If you do a (distinct)count of something and there are no matching events, the result is 0.
This is expected behavior imho.
Actually there's a very important distinction to make here. Suppose I ask you, "How many balls are inside the box in the next room?" Consider two scenarios:
These are clearly not the same scenario, and so I would expect different behavior imho. Intuitively, a human would likely respond along the lines of
The fundamental issue is that any feasible response to a question implicitly validates the premise(s) of the question. In case 2, we need Splunk to return a result indicating our premise is false. Indeed, the "null value" config exists, at least in part, to make this distinction... assuming it works 😉
I have the exact opposite problem (but the same).
I have it set to show custom value 0 but it just shows Null.
I have the same issue. I want to continue with the latest available value but the result is 0. If you run, investigate and expand the generated search you see ITSI is performing a: | stats dc(USER_ID) and with a macro it stores the result in a cache.
Statistically, a result of no occurences will result in the value 0.
I'm trying with streamstats, latest/earliest and such but no luck yet.
@curtismcginity - I think if you set that to NULL value it shows the discontinued chart.