Using the over and by clauses divides the data into sub-groupings. The function defines the value of the y-axis, therefore it should be numeric The first field after the over clause is the x-axis. You decide which field to plot on the x-axis. That will tell you a list of all invites with event=B, C and D records but no event=A records. chart command can display any series of data that you want to plot. Null values are those values that are present for. Index="dc_green_idx" event=A OR event=B OR event=C OR event=D | fields index invite event TimeSubmitted | stats latest(TimeSubmitted) as TimeSubmitted, values(event) as event by invite | where mvcount(event)>3 and event!=A | sort - TimeSubmitted The fillnull command of Splunk is used to replace null values in fields with specific user-defined values. We offer you accurate Splunk Enterprise Certified Architect SPLK-2002. Index="dc_green_idx" event=A OR event=B OR event=C OR event=D | fields index invite event TimeSubmitted | stats latest(TimeSubmitted) as TimeSubmitted, latest(eval(case(event="A",TimeSubmitted))) as A_TimeSubmitted values(event) as event by invite | where mvcount(event)>3 and isnull(A_TimeSubmitted) | sort - TimeSubmittedĪlthough, really, unless you need the Time_submitted from A for some other reason, you could just go with this: So, this is what it seems like you are trying to do: Given your code, any invite that had any events other than A would get "yes" in BUnsupp. Do we need to use service accounts for Splunk enterprise components like Indexer or local accounts are fine. I am suspecting a problem with local account. I checked nf file and settings are proper. A multivalue field that is null is not a multivalue field. I am observing a strange behaviour on Splunk where our hot db to cold db transfer is not happening properly.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |