Solved: Re: How to include completely missing fields in re...

acidkewpie · ‎09-27-2012

Hi,

I'm looking at charting the most common file types, based on a string in a log of "..., http_path=/a/b/c/blah.gif, next-field=..." for example. I've extracted the "gif" field easily enough, and so I can trivially see all file types. BUT how do I cover the case of there being no extension? e.g. "..., http_path=/a/b/app, next-field=..."? These web app locations are the significant majority of the requests, and I'd really like to have a "No Ext" chunk on my pie chart. How can I do this?

If I go back to where the log is generated, then I can hack out the extension there, make a new field, like http_ext and leave it empty, but that doesn't seem like the right thing to do.

Cheers

Chris

yannK · ‎09-27-2012

Do your extractions first, then for each event (before using stats functions), replace the fields that are null by a text value.

example for the field myfield;



| eval myfield=if(isnull(myfield),"missing",myfield)

View solution in original post

yannK · ‎09-27-2012

Do your extractions first, then for each event (before using stats functions), replace the fields that are null by a text value.

example for the field myfield;



| eval myfield=if(isnull(myfield),"missing",myfield)

yannK · ‎09-28-2012

acid, thanks, I looked for this command for months !!!

acidkewpie · ‎09-28-2012

Oh, hang on... Shouldn't this be using "| fillnull value=NONE myfield"? Isn't that going to be much more efficient?

acidkewpie · ‎09-27-2012

brilliant, thanks

How to include completely missing fields in results

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...