Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to display the last value of an event in place of each of the remaining null values in a row?

kkarthik2
Observer
‎07-14-2015 02:44 AM

Example: My dashboard looks like

              1:00       2:00       3:00       4:00
 1. foo       100        200        -          -
 2. foo1      -          -          50         100
 3. foo3      50         100        200        -
 4. foo4      -          50         100        200

We need to replace "-" with 200 in "1.foo" and similarly for "3.foo3".

I have used filldown, but it is not working. Can someone help me with the search for this?

sourcetype="foo" | ....|chart max(S1) as S1 by foo, time | filldown S1.

Tags (3)
0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎07-14-2015 04:20 AM

You should be able to use the fillnull command.

sorucetype="foo" | ....|chart max(S1) as S1 by foo,time | fillnull value=200 S1

http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/fillnull

0 Karma
Reply

kkarthik2
Observer
‎07-14-2015 10:54 PM

But It should showing in all the places wherever "-" presents. Plz look it below 

                  1:00         2:00         3:00          4:00
  1. foo 100 200 - -
  2. foo1 - - 50 100
  3. foo3 50 100 300 -
  4. foo4 - 50 100 -

We need to replace "-" with 200 in "1.foo" at time of 3:00 and 4:00and similarly for "3.foo3" should replace 300 at time of 4:00. In 4.foo4 replace 100 at 4:00, not at 1:00

I have used filldown, but it is not working. Can someone help me with the search for this?

0 Karma
Reply

kkarthik2
Observer
‎07-14-2015 10:56 PM

need to show latest value on remaining times for each row, once we get value reaches the target.

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...