The Splunk query below returns only the calc_string column and returns blank for the index column, if I remove the ln4 and ln5 it returns index. How can I make this query to return both columns Please advise??
index=vehicle* sourcetype=info_ssl splunk_server_group=ALL | stats values(xx) as XX values(yy) as YY
| eval calc_string=if(isnull(XX), YY, XX) | table index calc_string
| sort index
With the stats command you'll want to use the BY clause to return one row for each distinct value in the BY clause fields.
In your example when using | stats values(xx) the result set only consists of the values of field yy without the index
So to include the index we'll use the by clause with the stats aggregation (line 2 at the very end)
index=vehicle* sourcetype=info_ssl splunk_server_group=ALL
| stats values(xx) as XX values(yy) as YY BY index
| eval calc_string=if(isnull(XX), YY, XX)
| table index calc_string
| sort index
If this fixes your problem, take a moment to accept the answer. This can be done by clicking on the check mark beside the answer to toggle it from greyed out to filled in!
