Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search results include fields with no values, can this be done?

DanielFordWA
Contributor
‎05-22-2013 08:10 AM

Is it possible to get search results in a table when only some of the results will have all the fields associated with them?

Currently I cannot get this to work.

For example....

DateTimeUserURLTermProduct
15/05/201310:01:02User123456/Home/--
15/05/201310:01:32User123456/Products/--
15/05/201310:01:53User123456/Products/Product1/-ID12345678
15/05/201310:02:42User123456/Search/--
15/05/201310:03:12User123456/Search/Results/Car-
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎05-22-2013 08:16 AM

fillnull?

... | fillnull value="-" Term Product | ...

View solution in original post

Reply
Solved! Jump to solution

wpreston
Motivator
‎05-23-2013 05:18 AM

I usually use eval to handle these. Something like:

...my search params... | eval TermProduct=if(isnull(TermProduct),"None",TermProduct) | ...other search params...

then adjust your search to account for "None" (or whatever you want to eval it to) in that field.

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎05-22-2013 08:16 AM

fillnull?

... | fillnull value="-" Term Product | ...
Reply
Solved! Jump to solution

Ayn
Legend
‎05-23-2013 05:21 AM

You need fillnull before your stats command, not after.

0 Karma
Reply
Solved! Jump to solution

DanielFordWA
Contributor
‎05-23-2013 04:52 AM

If in my search query I use the below...

stats count by Date Time User URL Term | Fields Date Time User URL Term | fillnull value="-" Term

This will only return the last result on the above table. The previous 4 results do not have the field "Term" associated with them, however I would like these to populate with a blank if that is the case.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...