Answer by HiroshiSatoh
Try this! index=myIndex value1!=True | stats count by siteID | map search="search index=myIndex earliest=-2d value2!=True siteID=\"$siteID$\" | stats latest(_time) as lastContact by siteID, siteName,...
View ArticleAnswer by elliotproebstel
Well, you can solve the current problem with a simple `fillnull`: index=myIndex value1!=True | stats count by siteID | fillnull value="" siteID | map [search index=myIndex earliest=-2d value2!=True...
View ArticleAnswer by andygerberkp
In a similar vein, if you are not using a stats comment, you can simply append / makeresults to create a dummy result to feed to | map. | append [| makeresults | eval siteID="DUMMY"]
View ArticleAnswer by woodcock
The `fillnull` command is not the right way to do it and it will not work for all versions. Here is an approach that will work for all versions of Splunk. Essentially, you create a fake/placeholder...
View Article