host=* sourcetype=*
|replace *.zip WITH * IN Object |
replace *.csv WITH * IN Object |
replace *.null WITH * IN Object |
replace *.xls WITH * IN Object |
replace *.pdf WITH * IN Object
|fillnull value=0, Bytes_W
|stats sum(Bytes_W)
In the above code, I am using `replace` command to replace the field values of `Object` with `*` wherever it has values with some extension like .csv, .null, etc., Also I am using the `fillnull` command to fill the value as ‘0’ wherever the field Bytes_W is not available.
The query with replace command as first and followed by fillnull is providing the Bytes_W result as `0` (though there are data for the field Bytes_W). Whereas the same query, if I change the position of the commands as `fillnull` first and followed by `replace` command, providing the correct results.
Note:- This issue is happening only during a particular time period.
Not sure what is causing the problem over here. Could anyone please help me in this case.
↧