Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Fill Null not working as expected

willadams
Contributor
‎08-31-2020 10:04 PM

I have a CSV that I am monitoring.  The CSV has lots of fields and my extraction works appropriately.  What I have noticed is that depending on the item in the CSV the field either has a value or not.  I have noticed that this appears to be common with fields all prefixed with the same term.  An example of the data set

 

comp_domain

comp_cputype

comp_department

last_logon_date

Enabled

Name

 

If I run the following SPL then for all the fields EXCEPT comp_*, SPLUNK will populate it with my value

 

index=foo 
| fillnull value="Nothing"

 

 

So using the above fields

 

fieldvalue
comp_domain 
comp_cputype 
comp_department 
last_logon_dateNothing
EnabledNothing
NameNothing

 

If I run an eval to look for null for one of the value (e.g. comp_domain) I get the same result

 

index=foo
| eval job=if(isnull(comp_domain),"Nothing here",comp_domain)

 

 

fieldvalue
comp_domain 

 

The same will happen for any field with "comp_" prefixed but works fine for fields that don't have a prefix.  

Labels (1)
Labels
Tags (2)
0 Karma
Reply

yeahnah
Motivator
‎08-31-2020 10:28 PM

Hi @willadams 

Go back to the source csv file, I suspect that it must have a whitespace value or something so Splunk does not consider it a true null value, as the eval test proves in your example.

Here's a run anywhere example of what I mean...

 

| makeresults 
| eval test=1, blank=" " , empty=""
| foreach blank empty [ eval <<FIELD>>_size=len(<<FIELD>>) ]
| foreach blank empty [ eval <<FIELD>>=if(isnull('<<FIELD>>'), "NULL", "NOT NULL") ]
| eval empty=null()
| appendpipe [
     eval test=2
   | foreach blank empty [ eval <<FIELD>>_size=len(<<FIELD>>) ]
   | foreach blank empty [ eval <<FIELD>>=if(isnull('<<FIELD>>'), "NULL", "NOT NULL") ]
]

 

Results

 
  _time blank blank_size empty empty_size test
12020-09-01 17:24:52NOT NULL1 01
22020-09-01 17:24:52NOT NULL8NULL 2


Hope this helps.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...