Re: Display table with empty values marked as NONE

asarolkar · ‎02-07-2013

I have a log file which gives me a list of physicians and insurers.

sourcetype="patientlog" id=1 physician=Kelly,Jack insurer=BCBS
sourcetype="patientlog" id=2 insurer=Medicare
sourcetype="patientlog" id=3 physician=James,Francis

I want to create a table such that for every patient id I can list the physician and insurer.

id1      physician           insurer
1        Kelly, Jack          BCBS
2           NONE              Medicare
3        James, Francis       NONE

This is a little tricky becaues the way the log is written I cant really write out a "NONE" if I do something like

sourcetype="patientlog" physician=* insurer=* | stats physician, insurer by id

Anybody know a smart way of doing this ? I cant change the log file but I need to display empty values as "NONE" somehow

aholzer · ‎02-07-2013

You could use the fillnull command

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fillnull

joshd · ‎02-07-2013

You need to specify the field names after the value="NA" ... ie: sourcetype="patientlog" | fillnull value="NA" physician | table physician, insurer

asarolkar · ‎02-07-2013

That did not work out 😞

asarolkar · ‎02-07-2013

sourcetype="patientlog" | fillnull value="NA" | table physician, insurer ?

Display table with empty values marked as NONE

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!