Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Fillnull command is not working in my search for specific sourcetype

Gowtham0809
New Member
‎07-29-2019 10:42 PM

Hi,

I been using fill null commands on my other searched without any issue, but in a specific case i am unable to get any response by using fillnull,

the data is indexed by a source type called CSV, (specific for CSV files), I will have 1000's of empty values in fields so I need to filter our based on my needs. one on my need is to filter it my means if null values. SO I want to replace the empty values in a filled with value-NULL. I used below format.

field name =""RWI State" and i used the fillnull as ....| fillnull value=NULL "RWI State".

but its not filling the filed with NULL values

Thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-29-2019 10:55 PM

First of all, fields with spaces are EVIL but try this:

... | fillnull value="NULL" "RWI State"

If that doesn't work, then try this:

| eval "RWI State" = if(len('RWI State') == 0, "NULL", 'RWI State')

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-29-2019 10:55 PM

First of all, fields with spaces are EVIL but try this:

... | fillnull value="NULL" "RWI State"

If that doesn't work, then try this:

| eval "RWI State" = if(len('RWI State') == 0, "NULL", 'RWI State')
Reply
Solved! Jump to solution

Gowtham0809
New Member
‎07-30-2019 02:37 AM

Thanks for the update, I have many fields such as "RWI State", So so I need to use EVAL for all my fields, or can i do it for all the fields to replace null values. Note, I have too many fields in my data sheet.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-30-2019 10:38 AM

There is the foreach command that you can use to cover multiple fields with one command.

0 Karma
Reply
Solved! Jump to solution

Gowtham0809
New Member
‎07-29-2019 10:44 PM

adding to the post, replace command works with replacing empty values NULL. MY usecase is to use fillnull

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...