Solved: Can't fillnull on fields in REST generated table?

the_wolverine · ‎08-25-2016

Why doesn't fillnull work here?

| rest /servicesNS/-/-/saved/searches splunk_server=local | search disabled=0 is_scheduled=1 | fillnull dispatch.earliest_time | table author, title, disabled, is_scheduled, cron_schedule, search, dispatch.earliest_time, dispatch.latest_time, actions, action.email, action.email.to, action.email.sendresults, alert.track, alert.expires, alert_type, realtime_schedule

martin_mueller · ‎08-25-2016

dispatch.earliest_time isn't null so fillnull has nothing to do:

...  | eval a1 = if(isnull('dispatch.earliest_time'), "null", "not null")

Weirdly, it's zero-length at the same time:

...  | eval a2 = length(tostring('dispatch.earliest_time'))

And it's a string:

... | eval a3 = typeof('dispatch.earliest_time')

As a workaround, you can of course use eval dispatch.earliest_time = if(length('dispatch.earliest_time')=0, 0, 'dispatch.earliest_time').

View solution in original post

martin_mueller · ‎08-25-2016

dispatch.earliest_time isn't null so fillnull has nothing to do:

...  | eval a1 = if(isnull('dispatch.earliest_time'), "null", "not null")

Weirdly, it's zero-length at the same time:

...  | eval a2 = length(tostring('dispatch.earliest_time'))

And it's a string:

... | eval a3 = typeof('dispatch.earliest_time')

As a workaround, you can of course use eval dispatch.earliest_time = if(length('dispatch.earliest_time')=0, 0, 'dispatch.earliest_time').

martin_mueller · ‎08-26-2016

If that answers your question please do mark it as accepted.

the_wolverine · ‎08-25-2016

Thanks!!

Can't fillnull on fields in REST generated table?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms