fillnull value- stats count by
The ideal solution would a reverse filldown command that would fill the N/A with the values of the events and their fields prior to the KO. The solution, which I found here, is to use the fillnull command. which assigns 'true' or 'false' to var depending on x being NULL. The filldown command would be usefull if it was able to use conditions with it. This works when the KO is in the last step. | eval step=if(status="KO" AND laststatus="KO" AND step="", laststep, step) | eventstats latest(status) as laststatus by customer_number | eventstats latest(step) as laststep by customer_number Here is my latest search query that I tried. I also tried it with filldown but it always takes the line above the KO and not the one pior. I tried it with eventstats and streamstats by getting the last step for OK but the KO line is not necessarily the last line for the customer. CustomerId CounterID CustomerName DeskID PurchasedItem 121 0 0 1 Pen 121 0 0 1 Pencil. CustomerId CounterID CustomerName DeskID PurchasedItem 121 1 Pen 121 1 Pencil. if not 'All Test are Null' will be assigned to main. If suppose test1, test2, test3, test4 contains value then test1 would be assigned to main. I would like to fill the N/A value with the step number of the previous line so step 3. I need to fill null value of multi-field values with any value, i.e 0 or Not found. Mains value should be test1 / test2 / test3 / test4 in-case test1 is empty option goes to test2, if test2 is empty then option goes to test 3 and test4 like wise. In that case I would like to fill the N/A value by the same step value as the previous line/event. However, if there is an Error line there is no step number. I have events that go through steps (1-7) and each step is one line eg. fieldformat multiple eval command eval Command IF function eval Command CASE function eval with STATS Command. Similarly the row for 03:00 the last known value for the status was DOWN (which comes from the 02:00).I am having some troubles filling my null values with conditional field values. Looking at the table we can see that for the row for 01:00, the last known value for status was UP (which comes from the 00:00). Using this assumption we can use Splunkâs âfilldownâ command, to fill in the missing values.įilldown looks for empty values for a particular field and updates them to be that of the last known, non-empty value for that field. We might reasonably assume that for each missing hour, the API status is the same as that of the previous hour. Since there were no hits during the missing hours, there is nothing to tell us whether our API endpoint was available or not. If the API was available at the end of the hour then the status is reported as UP and conversely, if the API was unavailable then the status is reported as DOWN. Try this: Try this: Note: replace ip with the field name you would like to convert. The status is the state of the API endpoint at the end of each hour. The above eval statement does not correctly convert 0 to 0.0.0.0 and null values. However the âstatusâ column is still empty for these missing hours. If I do eval isNullif (isnull (serviceInfoBlock.logID), 'True', 'False') it creates the field but assigns every value to be true. We can see that the âmissing hoursâ now have rows of zeroes which tells us that there were no activity during these hours rather than ambiguously not including them. We then get an updated table that looks like this: | fillnull total_number_of_hits, successful_hits, unsuccessful_hits | timechart values(total_number_of_hits) as total_number_of_hits, values(successful_hits) as successful_hits,values(unsuccessful_hits) as unsuccessful_hits,values(status) as status span=1hr Source="test_API_data.csv" host="test_API_data" index="main" sourcetype="csv"
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |