https://community.splunk.com/t5/Splunk-Search/How-to-fill-null-values-using-another-field-value/m-p/210957#M61678 <P>Thanks for imeediate response. its working. but its working for only if your query results are below 10000. if we have more than 10000 results sort command is truncating the results to 10000. </P> Tue, 03 Nov 2015 14:22:47 GMT Laya123 2015-11-03T14:22:47Z https://community.splunk.com/t5/Splunk-Search/How-to-fill-null-values-using-another-field-value/m-p/210953#M61674 <P>Hi,<BR />I need small to fill null values in search results</P> <P>I have search results like</P> <P>ID host country<BR />1 A CC<BR />2 A CC<BR />3 B AA<BR />4 C CC<BR />5 A<BR /><BR />6 B AA<BR />7 B AA<BR />8 C CC<BR />9 A CC<BR />10 B<BR /><BR />11 A</P> <P>I want to fill blanks of country from other rows where the same host is there means for ID:5 host is 'A' but country is blank I want to fill that blank with 'CC' (the country name is same for same host for all IDs) same as B host for ID:10 is balnk wanto fill with 'AA' why because host 'B' country is 'CC' same for all blanks of country has to be filled with country of same host</P> <P>thanks in advance</P> Thu, 28 Jul 2022 15:22:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-fill-null-values-using-another-field-value/m-p/210953#M61674 Laya123 2022-07-28T15:22:56Z https://community.splunk.com/t5/Splunk-Search/How-to-fill-null-values-using-another-field-value/m-p/210954#M61675 <P>Try something like this (assuming Country for a host is always same)</P> <PRE><CODE>your current search giving above output | eventstats values(Country) as Country by host </CODE></PRE> Mon, 02 Nov 2015 15:50:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-fill-null-values-using-another-field-value/m-p/210954#M61675 somesoni2 2015-11-02T15:50:45Z https://community.splunk.com/t5/Splunk-Search/How-to-fill-null-values-using-another-field-value/m-p/210955#M61676 <P>Does this solve yoour problem?</P> <PRE><CODE>... | eventstats values(country) country_2 BY host | eval country=coalesce(country, country_2) | fields- country_2 </CODE></PRE> Mon, 02 Nov 2015 15:50:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-fill-null-values-using-another-field-value/m-p/210955#M61676 HeinzWaescher 2015-11-02T15:50:51Z https://community.splunk.com/t5/Splunk-Search/How-to-fill-null-values-using-another-field-value/m-p/210956#M61677 <P>You could use <CODE>filldown</CODE> command. You'd have to <CODE>sort</CODE> by host first. The end result would look something like:</P> <PRE><CODE>... | sort host | filldown country </CODE></PRE> Mon, 02 Nov 2015 16:19:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-fill-null-values-using-another-field-value/m-p/210956#M61677 aholzer 2015-11-02T16:19:26Z https://community.splunk.com/t5/Splunk-Search/How-to-fill-null-values-using-another-field-value/m-p/210957#M61678 <P>Thanks for imeediate response. its working. but its working for only if your query results are below 10000. if we have more than 10000 results sort command is truncating the results to 10000. </P> Tue, 03 Nov 2015 14:22:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-fill-null-values-using-another-field-value/m-p/210957#M61678 Laya123 2015-11-03T14:22:47Z https://community.splunk.com/t5/Splunk-Search/How-to-fill-null-values-using-another-field-value/m-p/607385#M211165 <P><FONT size="4">Sort has a default value of 10000</FONT></P><P><FONT size="4"><A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort" target="_blank" rel="noopener">sort - Splunk Documentation</A></FONT></P><P><FONT size="4">&nbsp;</FONT></P><P><FONT size="4">You would need to specify "sort 0"&nbsp; (zero)&nbsp; in the code, to remove any limits&nbsp;</FONT></P><P><FONT size="4">&nbsp;</FONT></P><H3><FONT size="4"><SPAN class="">Optional arguments</SPAN></FONT></H3><H3><FONT size="4"><SPAN class="">&lt;count&gt;</SPAN></FONT></H3><H3><FONT size="4"><SPAN class="">Syntax:&nbsp;&lt;int&gt; | limit=&lt;int&gt; </SPAN></FONT></H3><H3><FONT size="4"><SPAN class=""><STRONG>Description</STRONG>:&nbsp; </SPAN></FONT></H3><H3><FONT size="4"><SPAN class="">Specify the number of results to return from the sorted results. </SPAN></FONT></H3><H3><FONT size="4"><SPAN class=""><FONT color="#0000FF">If no count is specified, the default limit of <STRONG>10000</STRONG> is used. </FONT></SPAN></FONT></H3><H3><FONT size="4"><SPAN class=""><FONT color="#0000FF"><FONT color="#339966">If&nbsp;0&nbsp;is specified, <STRONG>all</STRONG> results are returned. </FONT></FONT></SPAN></FONT></H3><H3><FONT size="4" color="#000000"><SPAN class="">You can specify the count using an integer or precede the count with a label, for example&nbsp;limit=10</SPAN></FONT></H3><P class=""><FONT size="4">&nbsp;</FONT></P><P class=""><FONT size="4" color="#FF0000"><STRONG>Using&nbsp;sort 0&nbsp;might have a negative impact performance</STRONG>, depending on how many results are returned.</FONT></P> Thu, 28 Jul 2022 14:40:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-fill-null-values-using-another-field-value/m-p/607385#M211165 Machine247 2022-07-28T14:40:21Z