Skip to main content

Is there a way to account for null/zero values that show up when you run a match window? 

For example this query - 

ingestion.log_type != ""

$log_type = ingestion.log_type

match:

$log_type

outcome:

$event_count = sum(ingestion.event_count)

$event_type_count = count_distinct(ingestion.event_type)

$event_types = array_distinct(ingestion.event_type)

order:

$event_count desc

 

Gives results back like the following

log_type - Test

event_count - 4

event_type_count = 3

event_types - USER,,EDR

as you can see it accounted for the zero value but I do not want it to account for the empty value in that count for event_type_count

You would need to filter those events out in the query - ex. ingestion.event_type != “”

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.