That will tell you a list of all invites with event=B, C and D records but no event=A records. but to run this query, i need to run it only when the 'missing' column is missing. The Splunk where command is one of several options used to filter search results. Splunk Eval Function: MATCH - Splunk on Big Data Replacing Null values - Splunk Community In splunk How to apply Multiple filter on splunk - Stack Overflow. below query can do it, eval missinganothercolumn. NULL))) AS successfulrequests count(eval(if(httpstatuscode > '400', 1, NULL))). if a field is missing in output, what is the query to eval another field to create this missing field. Index="dc_green_idx" event=A OR event=B OR event=C OR event=D | fields index invite event TimeSubmitted | stats latest(TimeSubmitted) as TimeSubmitted, values(event) as event by invite | where mvcount(event)>3 and event!=A | sort - TimeSubmitted eval command is perhaps the most advanced and powerful command in SPL. 10-01-2021 06:30 AM Hi - I have a few dashboards that use expressions like eval varifnull (x,'true','false'). If a calculated field has the same name as a field that has been extracted by normal means, the calculated field will override the extracted field, even if the eval statement evaluates to null. Index="dc_green_idx" event=A OR event=B OR event=C OR event=D | fields index invite event TimeSubmitted | stats latest(TimeSubmitted) as TimeSubmitted, latest(eval(case(event="A",TimeSubmitted))) as A_TimeSubmitted values(event) as event by invite | where mvcount(event)>3 and isnull(A_TimeSubmitted) | sort - TimeSubmittedĪlthough, really, unless you need the Time_submitted from A for some other reason, you could just go with this: See Comparison and Conditional functions in the Search Reference. So, this is what it seems like you are trying to do: Given your code, any invite that had any events other than A would get "yes" in BUnsupp. A multivalue field that is null is not a multivalue field.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |