https://community.splunk.com/t5/Splunk-Search/Replacing-Null-values/m-p/87603#M22406 <P>Thanks for your reply but when I try to use, it still doesn't show any results... Don't I expect to see "0" incase there are no results in "Total" after using this fillnull function?</P> Tue, 15 Jan 2013 18:09:48 GMT samsplunkd 2013-01-15T18:09:48Z https://community.splunk.com/t5/Splunk-Search/Replacing-Null-values/m-p/87598#M22401 <P>Hi, </P> <P>My search looks like below:<BR /> index=foo search_name="bar" |stats sum(Count) AS Total</P> <P>Sometimes Total doesn't have any value and is NULL. Is there a way this NULL can be replaced with 0?</P> <P>I tried below two but none worked.<BR /> a) case(isnull(Total),0)<BR /> b) coalesce(Total,0)</P> <P>Any help is greatly appreciated.</P> <P>Thanks</P> Tue, 15 Jan 2013 10:10:21 GMT https://community.splunk.com/t5/Splunk-Search/Replacing-Null-values/m-p/87598#M22401 samsplunkd 2013-01-15T10:10:21Z https://community.splunk.com/t5/Splunk-Search/Replacing-Null-values/m-p/87599#M22402 <P>Hello</P> <P>You can try with usenull=f</P> <P>In your example: <CODE>index=foo search_name="bar" |stats sum(Count) AS Total usenull=f</CODE></P> <P>Regards</P> Tue, 15 Jan 2013 10:33:52 GMT https://community.splunk.com/t5/Splunk-Search/Replacing-Null-values/m-p/87599#M22402 gfuente 2013-01-15T10:33:52Z https://community.splunk.com/t5/Splunk-Search/Replacing-Null-values/m-p/87600#M22403 <P>usenull isn't valid for stats, just for chart.</P> Tue, 15 Jan 2013 10:52:09 GMT https://community.splunk.com/t5/Splunk-Search/Replacing-Null-values/m-p/87600#M22403 Ayn 2013-01-15T10:52:09Z https://community.splunk.com/t5/Splunk-Search/Replacing-Null-values/m-p/87601#M22404 <P>This is exactly what the <CODE>fillnull</CODE> command is for.</P> <PRE><CODE>... | fillnull Total </CODE></PRE> Tue, 15 Jan 2013 10:53:05 GMT https://community.splunk.com/t5/Splunk-Search/Replacing-Null-values/m-p/87601#M22404 Ayn 2013-01-15T10:53:05Z https://community.splunk.com/t5/Splunk-Search/Replacing-Null-values/m-p/87602#M22405 <P>Ok, thanks for the correction</P> Tue, 15 Jan 2013 11:06:35 GMT https://community.splunk.com/t5/Splunk-Search/Replacing-Null-values/m-p/87602#M22405 gfuente 2013-01-15T11:06:35Z https://community.splunk.com/t5/Splunk-Search/Replacing-Null-values/m-p/87603#M22406 <P>Thanks for your reply but when I try to use, it still doesn't show any results... Don't I expect to see "0" incase there are no results in "Total" after using this fillnull function?</P> Tue, 15 Jan 2013 18:09:48 GMT https://community.splunk.com/t5/Splunk-Search/Replacing-Null-values/m-p/87603#M22406 samsplunkd 2013-01-15T18:09:48Z https://community.splunk.com/t5/Splunk-Search/Replacing-Null-values/m-p/87604#M22407 <P>Reading through the documentation:<BR /> "Null values are those missing in a particular result, but present for some other result."</P> <P>In my case there is only one value instead of multiple events with some having values and others NULL. How do we replace NULL with 0 in case of only one value?</P> Tue, 15 Jan 2013 19:08:23 GMT https://community.splunk.com/t5/Splunk-Search/Replacing-Null-values/m-p/87604#M22407 samsplunkd 2013-01-15T19:08:23Z https://community.splunk.com/t5/Splunk-Search/Replacing-Null-values/m-p/87605#M22408 <P>When I try your search, on an index with no <CODE>Count</CODE> fields, I don't get one result with a null. Instead I get no results. Whereas, you instead want to get one result with a zero.</P> <UL> <LI>Even if none of the results has the Count field.</LI> <LI>Even if there are no results for the search.</LI> </UL> <P>I think this will do what you want:</P> <P><CODE>search_name=not_found | append [ search * | head 1 | eval Count=0 ] | stats sum(Count) AS Total</CODE></P> <P>This will always give you a total count unless there are no rows that match your selected time frame. It's a bit awkward, though.</P> Tue, 15 Jan 2013 19:29:15 GMT https://community.splunk.com/t5/Splunk-Search/Replacing-Null-values/m-p/87605#M22408 MartinHarper 2013-01-15T19:29:15Z https://community.splunk.com/t5/Splunk-Search/Replacing-Null-values/m-p/87606#M22409 <P>Yeah the problem is it shows no results when there are no matching events. I want to show "0" in Total in that case.<BR /> Above doesn't work as field Count won't even exist if there are no matched events.</P> <P>Basically I want to say if Total contains nothing, just display 0.</P> Tue, 15 Jan 2013 19:35:28 GMT https://community.splunk.com/t5/Splunk-Search/Replacing-Null-values/m-p/87606#M22409 samsplunkd 2013-01-15T19:35:28Z https://community.splunk.com/t5/Splunk-Search/Replacing-Null-values/m-p/87607#M22410 <P>Edited, try now.<BR /> How are you consuming this search? Wondering if a better approach would be to change how it is consumed.</P> Tue, 15 Jan 2013 19:47:46 GMT https://community.splunk.com/t5/Splunk-Search/Replacing-Null-values/m-p/87607#M22410 MartinHarper 2013-01-15T19:47:46Z https://community.splunk.com/t5/Splunk-Search/Replacing-Null-values/m-p/87608#M22411 <P>Correct syntax for more clarity:</P> <PRE><CODE>... | fillnull value=NULL </CODE></PRE> <P><STRONG>Reference:</STRONG> <BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/fillnull">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/fillnull</A></P> Thu, 02 Aug 2018 00:29:44 GMT https://community.splunk.com/t5/Splunk-Search/Replacing-Null-values/m-p/87608#M22411 jawaharas 2018-08-02T00:29:44Z