I have the data indexed in splunk from a zipped up csv file and then created a Root Event in Data Models based on the sourcetype for the indexed data. But when I create a pivot I lose the count on field values that are blank (example data below).
Reading the documentation, if i use root searches I lose the autoextracted _time, which I do not want to do because I want to trend this data over time and perhaps use the acceleration feature
How do I modify data in the Root Event Object so that these fields are populated with a default value when they are empty?
Here is my initial dataset – [in a CSV file zipped up locally]: field_name count Value1 1 Value2 3 Value4 4 <blank> 55
But here is the data in the Root Event – [constraint is sourcetype=my_define_sourcetype]: Attribute [field_name] Count Value1 1 Value2 3 Value4 4
Just to confirm all the events were indexed...If i use fillnull i can set the blank value to NULL in a search, so i know the events with blank fields get indexed.
Using Fillnull in search:
field_name count
Value1 1
Value2 3
Value4 4
NULL 55