如何在图表管道后保留Splunk中的表字段？尝试将值连接到'over'参数，但得到'未找到结果'

Posted 2021-05-05

我有一个搜索，基本上我想显示每个客户每个工作区的用户类型数，但我只能在表中获得客户名称和用户类型。

这就是我所拥有的：

 | `workspace_submissions((submissions.workspaceGuid=*), (workspaceGuid=*))` 
 | search userGuid=* 
 | eval userPersona=case(workspaceRole="ADMIN", "Builder", cellValueChanges>0 OR modelChanges>0, "Contributor", cellValueChanges=0 AND modelChanges=0, "Viewer") 
 | lookup user-dc5prod userGuid output active 
 | eval US=if(active=1, "Enabled", "Disabled") 
 | stats count by userPersona workspaceGuid 
 | lookup workspace-dc5prod workspaceGuid output workspaceGuid, currentCustomerGuid as customerGuid 
 | lookup customer-dc5prod customerGuid output type name as customerName sfdcAccountGuid
 | chart values(count) over customerName by userPersona

我查看了这个splunk论坛问题的答案：https://answers.splunk.com/answers/390709/how-do-i-add-extra-fields-to-a-chart-count-over-fi.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev，但是当我放了

 | eval customerName=customerName."#".workspaceGuid."#".sfdcAccountGuid

在图表之前，我没有返回任何结果。我需要表customerName sfdcAccountGuid workspaceGuid Builder Contributor和Viewer

答案

我想到了。我的包含sfdcAccountGuid的eval语句具有空值，因为我没有填充，所以这些值完全被排除在外。添加| fillnull value = NULL sfdcAccountGuid允许它正确通过。