https://community.splunk.com/t5/Splunk-Search/Why-are-there-empty-fields-after-a-left-join/m-p/634334#M220359 <P>Using join is not generally a good idea in Splunk as it has limitations which may silently affect your data.</P><P>join functionality is generally achieved in Splunk using this construct</P><LI-CODE lang="markup">index=lab (sourcetype=A OR sourcetype=cmdb) | stats values(*) as * by src_host</LI-CODE><P>This will generally always be faster than a join and not have limitations.</P><P>The 'values(*) as *' can be tailored to carry forward whatever fields you want in the resultant rows.</P><P>&nbsp;</P> Mon, 13 Mar 2023 22:27:59 GMT bowesmana 2023-03-13T22:27:59Z https://community.splunk.com/t5/Splunk-Search/Why-are-there-empty-fields-after-a-left-join/m-p/634330#M220356 <P>Hello fellows!<BR /><BR />I have a sourcetype called cmdb with a field called BIA to any src_host.</P> <P>After this join</P> <P>index=lab sourcetype=A | join type=left src_host [search index=lab sourcetype=cmdb]</P> <P>Most of the src_host now figures with the BIA field, but some of them don't. It's OK, because they do not exist on cmdb sourcetype.</P> <P>I want to fix the value of the BIA field for this hosts.</P> <P>I try to use&nbsp;a lot of tings like...<BR />​| eval BIA = if( len(BIA)==0, "FIX", BIA)<BR />but is not running fine.</P> <P>Can someone help me?</P> Wed, 15 Mar 2023 16:13:01 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-there-empty-fields-after-a-left-join/m-p/634330#M220356 pierre_weg 2023-03-15T16:13:01Z https://community.splunk.com/t5/Splunk-Search/Why-are-there-empty-fields-after-a-left-join/m-p/634333#M220358 <P>You can't use the eval test as BIA is a null field in those events, so use fillnull instead</P><LI-CODE lang="markup">​| fillnull BIA value="FIX"</LI-CODE> Mon, 13 Mar 2023 22:24:51 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-there-empty-fields-after-a-left-join/m-p/634333#M220358 bowesmana 2023-03-13T22:24:51Z https://community.splunk.com/t5/Splunk-Search/Why-are-there-empty-fields-after-a-left-join/m-p/634334#M220359 <P>Using join is not generally a good idea in Splunk as it has limitations which may silently affect your data.</P><P>join functionality is generally achieved in Splunk using this construct</P><LI-CODE lang="markup">index=lab (sourcetype=A OR sourcetype=cmdb) | stats values(*) as * by src_host</LI-CODE><P>This will generally always be faster than a join and not have limitations.</P><P>The 'values(*) as *' can be tailored to carry forward whatever fields you want in the resultant rows.</P><P>&nbsp;</P> Mon, 13 Mar 2023 22:27:59 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-there-empty-fields-after-a-left-join/m-p/634334#M220359 bowesmana 2023-03-13T22:27:59Z https://community.splunk.com/t5/Splunk-Search/Why-are-there-empty-fields-after-a-left-join/m-p/634380#M220379 <P>Great! Great! Great!&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/6367">@bowesmana</a>&nbsp;</P><P>Thanks for your help!</P> Tue, 14 Mar 2023 10:56:13 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-there-empty-fields-after-a-left-join/m-p/634380#M220379 pierre_weg 2023-03-14T10:56:13Z https://community.splunk.com/t5/Splunk-Search/Why-are-there-empty-fields-after-a-left-join/m-p/635732#M220873 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/6367">@bowesmana</a>&nbsp;<BR />I found an issue...<BR />In&nbsp;sourcetype=cmdb the all events have the field BIA with "H", "M" ou "L" values.<BR />After the join, and using "fillnull", if I use "fillnull BIA value="E"", 100% of the events have one of the 4 values, but if I use "fillnull BIA value="H"" 100% of the events will have "H" value.<BR /><BR />what I'ḿ doing wrong?</P> Thu, 23 Mar 2023 14:50:20 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-there-empty-fields-after-a-left-join/m-p/635732#M220873 pierre_weg 2023-03-23T14:50:20Z https://community.splunk.com/t5/Splunk-Search/Why-are-there-empty-fields-after-a-left-join/m-p/635809#M220894 <P>Can you post your full search</P> Fri, 24 Mar 2023 02:10:30 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-there-empty-fields-after-a-left-join/m-p/635809#M220894 bowesmana 2023-03-24T02:10:30Z https://community.splunk.com/t5/Splunk-Search/Why-are-there-empty-fields-after-a-left-join/m-p/635899#M220917 <P>I found the mistake...<BR /><BR /></P><P>It was a syntax error</P><P>The right way is</P><P>| fillnull value="FIX" BIA</P><P>not</P><P>| fillnull BIA value="FIX"</P><P>&nbsp;</P><P>Thanks again!</P> Fri, 24 Mar 2023 11:07:15 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-there-empty-fields-after-a-left-join/m-p/635899#M220917 pierre_weg 2023-03-24T11:07:15Z