Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search by a field which may have null value?

kingso_paypal
Explorer
‎07-28-2022 09:31 PM

Below is the log events that I have. One has max_amount value and one has empty value. I want to find out the events that have transaction_amount > max_amount. 

 

 

[Date=2022-07-29, max_amount=100, transaction_amount=120]

[Date=2022-07-29, max_amount=100, transaction_amount=90]

[Date=2022-07-29, transaction_amount=120]

 

 

I tried transaction_amount>max_amount but not working. I guess it is due to some records having no max_amount value.

 

 

index=<table_name> transaction_amount>max_amount | bucket Date span=day | fillnull value=null max_amount | stats count by Date, max_amount, transaction_amount

 

 

 How to get the record #1?

Labels (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎08-01-2022 12:04 AM

This is because search command cannot dereference field value, not because of missing value in some events.  Use where command instead.

index=<table_name>
| eventstats values(max_amount) AS max_amount ``` only if max_amount is a fixed value ```
| where transaction_amount > max_amount

The above assumes that max_amount is a fixed value for every event.

Obviously, if you don't want to count those events that lacks max_amount, remove that eventstats.  On the other hand, if max_amount could be different values in different events but you want to set a value in those events, you need to decide whether to replace value() with min(), max(), avg(), median(), or any other statistical function that returns a single value from multiple values.

View solution in original post

Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎08-01-2022 12:04 AM

This is because search command cannot dereference field value, not because of missing value in some events.  Use where command instead.

index=<table_name>
| eventstats values(max_amount) AS max_amount ``` only if max_amount is a fixed value ```
| where transaction_amount > max_amount

The above assumes that max_amount is a fixed value for every event.

Obviously, if you don't want to count those events that lacks max_amount, remove that eventstats.  On the other hand, if max_amount could be different values in different events but you want to set a value in those events, you need to decide whether to replace value() with min(), max(), avg(), median(), or any other statistical function that returns a single value from multiple values.

Reply
Solved! Jump to solution

kingso_paypal
Explorer
‎07-29-2022 02:59 AM

Both cases are true to me. But when I tried, both return 0 records to me. Why?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-29-2022 03:08 AM

Hi @kingso_paypal ,

running the main search, do you see both the fields in interesting fields panel?

If yes, have you values or not?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

kingso_paypal
Explorer
‎07-31-2022 09:14 PM

It returns 0 events. This happens when I add a column which has no value at all unless I "fillnull" it, but I did it on max_amount field...

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-31-2022 11:41 PM

Hi @kingso_paypal,

running this search:

index=<table_name> transaction_amount>max_amount

have you results?

do you see both the fields in interesting fields panel?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-03-2022 02:23 AM

Hi @kingso_paypal,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-28-2022 11:05 PM

Hi @kingso_paypal,

Let me understand: you want to take events with  transaction_amount>max_amount, but do you want to consider also events without max_amount or not?

If yes, you could fullfill missing values with zero, if not, you have to add a condition to the main search:

first case

index=<table_name> (transaction_amount>max_amount OR (transaction_amount>0 NOT max_amount=*))
| bucket Date span=day 
| fillnull value=null max_amount 
| stats count by Date, max_amount, transaction_amount

 second case:

index=<table_name> (transaction_amount>max_amount max_amount=*)
| bucket Date span=day 
| fillnull value=null max_amount 
| stats count by Date, max_amount, transaction_amount

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...