Solved: Fillnull command is not working in my search for s...

Gowtham0809 · ‎07-29-2019

Hi,

I been using fill null commands on my other searched without any issue, but in a specific case i am unable to get any response by using fillnull,

the data is indexed by a source type called CSV, (specific for CSV files), I will have 1000's of empty values in fields so I need to filter our based on my needs. one on my need is to filter it my means if null values. SO I want to replace the empty values in a filled with value-NULL. I used below format.

field name =""RWI State" and i used the fillnull as ....| fillnull value=NULL "RWI State".

but its not filling the filed with NULL values

Thanks

woodcock · ‎07-29-2019

First of all, fields with spaces are EVIL but try this:

... | fillnull value="NULL" "RWI State"

If that doesn't work, then try this:

| eval "RWI State" = if(len('RWI State') == 0, "NULL", 'RWI State')

View solution in original post

woodcock · ‎07-29-2019

First of all, fields with spaces are EVIL but try this:

... | fillnull value="NULL" "RWI State"

If that doesn't work, then try this:

| eval "RWI State" = if(len('RWI State') == 0, "NULL", 'RWI State')

Gowtham0809 · ‎07-30-2019

Thanks for the update, I have many fields such as "RWI State", So so I need to use EVAL for all my fields, or can i do it for all the fields to replace null values. Note, I have too many fields in my data sheet.

woodcock · ‎07-30-2019

There is the foreach command that you can use to cover multiple fields with one command.

Gowtham0809 · ‎07-29-2019

adding to the post, replace command works with replacing empty values NULL. MY usecase is to use fillnull

Fillnull command is not working in my search for specific sourcetype

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!