Splunk documentation said
"fillnull command is a distributable streaming command when a field-list is specified. When no field-list is specified, the fillnull command fits into the dataset processing type"
I wonder why it works as dataset processing if no fields are specified. The results are all the same anyway, but there must be a reason.
Thanks for letting us know.
Thank you!!
When a field name is specified, it's easy for an indexer to see that the field has no value and substitute the fill value. Without a field name specified, it has to know the full set of fields to know which have null values. That's not a distributable function.