Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Fill Null not working as expected

willadams
Contributor
‎08-31-2020 10:04 PM

I have a CSV that I am monitoring.  The CSV has lots of fields and my extraction works appropriately.  What I have noticed is that depending on the item in the CSV the field either has a value or not.  I have noticed that this appears to be common with fields all prefixed with the same term.  An example of the data set

 

comp_domain

comp_cputype

comp_department

last_logon_date

Enabled

Name

 

If I run the following SPL then for all the fields EXCEPT comp_*, SPLUNK will populate it with my value

 

index=foo 
| fillnull value="Nothing"

 

 

So using the above fields

 

fieldvalue
comp_domain 
comp_cputype 
comp_department 
last_logon_dateNothing
EnabledNothing
NameNothing

 

If I run an eval to look for null for one of the value (e.g. comp_domain) I get the same result

 

index=foo
| eval job=if(isnull(comp_domain),"Nothing here",comp_domain)

 

 

fieldvalue
comp_domain 

 

The same will happen for any field with "comp_" prefixed but works fine for fields that don't have a prefix.  

Labels (1)
Labels
Tags (2)
0 Karma
Reply

yeahnah
Motivator
‎08-31-2020 10:28 PM

Hi @willadams 

Go back to the source csv file, I suspect that it must have a whitespace value or something so Splunk does not consider it a true null value, as the eval test proves in your example.

Here's a run anywhere example of what I mean...

 

| makeresults 
| eval test=1, blank=" " , empty=""
| foreach blank empty [ eval <<FIELD>>_size=len(<<FIELD>>) ]
| foreach blank empty [ eval <<FIELD>>=if(isnull('<<FIELD>>'), "NULL", "NOT NULL") ]
| eval empty=null()
| appendpipe [
     eval test=2
   | foreach blank empty [ eval <<FIELD>>_size=len(<<FIELD>>) ]
   | foreach blank empty [ eval <<FIELD>>=if(isnull('<<FIELD>>'), "NULL", "NOT NULL") ]
]

 

Results

 
  _time blank blank_size empty empty_size test
12020-09-01 17:24:52NOT NULL1 01
22020-09-01 17:24:52NOT NULL8NULL 2


Hope this helps.

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...