Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Search results include fields with no values, can ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DanielFordWA
Contributor
05-22-2013
08:10 AM
Is it possible to get search results in a table when only some of the results will have all the fields associated with them?
Currently I cannot get this to work.
For example....
| Date | Time | User | URL | Term | Product |
|---|---|---|---|---|---|
| 15/05/2013 | 10:01:02 | User123456 | /Home/ | - | - |
| 15/05/2013 | 10:01:32 | User123456 | /Products/ | - | - |
| 15/05/2013 | 10:01:53 | User123456 | /Products/Product1/ | - | ID12345678 |
| 15/05/2013 | 10:02:42 | User123456 | /Search/ | - | - |
| 15/05/2013 | 10:03:12 | User123456 | /Search/Results/ | Car | - |
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ayn
Legend
05-22-2013
08:16 AM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
wpreston
Motivator
05-23-2013
05:18 AM
I usually use eval to handle these. Something like:
...my search params... | eval TermProduct=if(isnull(TermProduct),"None",TermProduct) | ...other search params...
then adjust your search to account for "None" (or whatever you want to eval it to) in that field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ayn
Legend
05-22-2013
08:16 AM
fillnull?
... | fillnull value="-" Term Product | ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ayn
Legend
05-23-2013
05:21 AM
You need fillnull before your stats command, not after.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DanielFordWA
Contributor
05-23-2013
04:52 AM
If in my search query I use the below...
stats count by Date Time User URL Term | Fields Date Time User URL Term | fillnull value="-" Term
This will only return the last result on the above table. The previous 4 results do not have the field "Term" associated with them, however I would like these to populate with a blank if that is the case.
Get Updates on the Splunk Community!
Prove Your Splunk Prowess at .conf25—No Prereqs Required!
Your Next Big Security Credential: No Prerequisites Needed
We know you’ve got the skills, and now, earning the ...
Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code
This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Answers Content Calendar, July Edition I
Hello Community!
Welcome to another month of Community Content Calendar series! For the month of July, we will ...
