![]() ![]() The fillnull command is a distributable streaming command when a field-list is specified. If you do not specify a value, the default value is applied to the. value Syntax: value= Description: Specify a string value to replace null values. If you do not specify a field list, the value is applied to all fields. If you specify a field that didn't previously exist, the field is created. If you specify a field list, all of the fields in that list are filled in with the value you specify. Description: A space-delimited list of one or more fields. You can specify a string to fill the null field values or use the default, field value which is zero ( 0 ). You can replace the null values in one or more fields. Use the fillnull command to replace null field values with a string. Null values are field values that are missing in a particular result but present in another result. I think that would work if it does not cause another problem.Replaces null values with a specified value. I also thought of appending each unique search instead of using case. That may involve time buckets and have not looked into that. I have thought of counting the number of events in the time span that match each Type and setting the site_up=1 if it is zero. I need to use the Type on the eval to do it correctly and I think that is the problem. If I remove the AND Type="" from one of the evals the fillnull will fix that one. | timechart Max(site1_up) as Site1 Max(site2_up) as Site2 I am looking at multiple things and charting more than one value using a case statement with the eval based on the case.Ĭs_host="" AND like(SOAPAction,"%release%"), "Release",Ĭs_host="" AND like(SOAPAction,"%verify%"), "Verify", I checked the fillnull again and It does work using the basic format. I am trying to make a chart of the up(1)/down(0) status of various components, some of which are determined by the IIS logs. |eval Site3_up =1 if there are no events matching cs_host=C |eval Site3_up =0 if cs_host=C AND cs_User_Agent=Mozilla and no cs_uri_stem=check.asmx |eval Site3_up =1 if cs_host=C AND cs_User_Agent=Mozilla and at least one cs_uri_stem=check.asmx |eval Site2_up =1 if there are no events matching cs_host=B |eval Site2_up =0 if cs_host=B and at no cs_method=POST |eval Site2_up =1 if cs_host=B and at least one cs_method=POST |eval Site1_up=1 if there are no events matching cs_host=A |eval Site1_up=0 if cs_host=A and at no sc_status=200 |eval Site1_up=1 if cs_host=A and at least one sc_status=200 The reasoning for the up/down status is not important since this is simply an example. I have also tried | append without success, but don't completely know how that would work. It should also only use fillnull (or similar) if no events are in that 10 second span. Putting this before the eval does not work since I believe nothing is done without an event. ![]() I want a 1 charted if there are no events in that 10s span.Īdding | fillnull value=200 sc_status after the timechart simply shows an extra column of sc_status at 200 in every span (column in the chart). If there are no matching events it is probably not even looked at and returns nothing and the chart looks like a 0. It charts a 0 if there were responses, but none were 200. This charts a 1 if there was at least one 200 response from in the 10s span. It works, except for when no events happen. ![]() I want the eval it to return a 1 when there are no events in that span. The eval is likely not even called if there are no events in the timechart span I am looking at. I want a fillnull (or similar) to happen before an eval. As I write this I realize that what I want is likely not possible using this method. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |