Solved: Re: Timecharting null values

bspargur · ‎05-11-2021

Is there a way, that anyone is aware of, to timechart off of a field sumarry. I can break down the fieldsummary by timecharting first, I just end up with repeated field names with what looks like hashes appended to them, which is weird. I am trying to detrmine all the NULL fields and present them in a timecharted graph by day. Currently, without the timechart portion, this is what I have.

...| fieldsummary
| search values=*Unknown*
| rex field=values \"Unknown\"\\S\"count\":(?<null_count>\\d+)},
|eval percent_null=(null_count/count)*100
|eval Percent1=100-percent_null
|fields field Percent1 null_count

ITWhisperer · ‎05-15-2021

| gentimes start=-30 increment=1h
| rename starttime as _time 
| fields _time
| eval fielda="a".mvindex(split("ABC",""),random()%4)
| eval fieldb="b".mvindex(split("ABC",""),random()%4)
| eval fieldc="c".mvindex(split("ABC",""),random()%4)
| eval fieldd="d".mvindex(split("ABC",""),random()%4)
| eval fielde="e".mvindex(split("ABC",""),random()%4)
| eval fieldf="f".mvindex(split("ABC",""),random()%4)


| foreach *
    [| eval null_<<FIELD>>=if(isnull(<<FIELD>>),1,null)]
| timechart span=1d sum(null_*) as null_*

View solution in original post

richgalloway · ‎05-11-2021

The timechart command requires the _time field, which fieldsummary does not supply.

---
If this reply helps you, Karma would be appreciated.

bspargur · ‎05-12-2021

The _time can be used prior to the field summary command being run, I just get crazy outputs. If there is a better way to do what I am trying to do, that would work too. I am just not quite sure how to get it to work right.

richgalloway · ‎05-13-2021

Is there another way to do what? Please describe your desired output. What do you mean by "crazy outputs"? What problem are you trying to solve?

---
If this reply helps you, Karma would be appreciated.

bspargur · ‎05-14-2021

I am trying to trend NULL values over time. There are 12 fields in total. I am attempting to get it to trend by day where it shows the fields that are NULL with and the counts for those fields, in addition to a percentage of ones that were not NULL. I can provide the output I get on Monday but I think it might be better to take a step back and see if anyone has an idea for a better way to do this.

ITWhisperer · ‎05-15-2021

| gentimes start=-30 increment=1h
| rename starttime as _time 
| fields _time
| eval fielda="a".mvindex(split("ABC",""),random()%4)
| eval fieldb="b".mvindex(split("ABC",""),random()%4)
| eval fieldc="c".mvindex(split("ABC",""),random()%4)
| eval fieldd="d".mvindex(split("ABC",""),random()%4)
| eval fielde="e".mvindex(split("ABC",""),random()%4)
| eval fieldf="f".mvindex(split("ABC",""),random()%4)


| foreach *
    [| eval null_<<FIELD>>=if(isnull(<<FIELD>>),1,null)]
| timechart span=1d sum(null_*) as null_*

bspargur · ‎05-18-2021

Thank you. This is a very nice solution.

Timecharting null values

timechart

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor