Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk Enterprise
- :
- Re: Fill null values with field values from previo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fill null values with field values from previous line/event (conditional fillnull values)
Hello Splunk community,
I am having some troubles filling my null values with conditional field values.
I have events that go through steps (1-7) and each step is one line eg. one event. However, if there is an Error line there is no step number. In that case I would like to fill the N/A value by the same step value as the previous line/event.
Here an example:
| customer_number | status | step | |
| 1234 | OK | 5 | |
| 1234 | OK | 4 | |
| 1234 | KO | N/A | Here it should be step number 3 |
| 1234 | Ok | 3 | |
| 1234 | Ok | 2 | |
| 1234 | OK | 1 |
I would like to fill the N/A value with the step number of the previous line so step 3.
I tried it with eventstats and streamstats by getting the last step for OK but the KO line is not necessarily the last line for the customer. I also tried it with filldown but it always takes the line above the KO and not the one pior.
Here is my latest search query that I tried.
| eventstats latest(step) as laststep by customer_number
| eventstats latest(status) as laststatus by customer_number
| eval step=if(status="KO" AND laststatus="KO" AND step="", laststep, step)
|filldown step, Step
This works when the KO is in the last step. The filldown command would be usefull if it was able to use conditions with it. The ideal solution would a reverse filldown command that would fill the N/A with the values of the events and their fields prior to the KO.
Please help!
thank you in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jt_yshi ,
Can you maybe do it like this?
| sort step
| filldown step
| sort - step
BR
Ralph
Karma and/or Solution tagging appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @rnowitzki
It works very well! I was looking at way more complex case and eval function yet the answer seems so simple.
Thanks for your help, much appreciated!
Best regards,
Julia
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
