Hi,
I have a problem with a query which runs on an hourly basis as the fields that need to be returned can vary. The simple query is
index="test" | fields app,action,category | fillnull value="unknown" | stats count by app,action,category
I have one action which contains the category and one without:
{"app": "testapp", "category": "test_cat", "action": "video_view"}
{"app": "testapp2", "action": "social"}
The issue arises as the stats table will not show anything unless the category is present in at least 1 event in the timerange. I.e. if I select a timerange with only the second event here using the query above, I receive no results. I need to receive field, even if only null.
I have also tried the following but it doesn't work:
index="test" | fields app,action,category | eval category=if(isnotnull(category),category,NULL)| fillnull value="unknown" | stats count by app,action,category
