Splunk Search

Fillnull command is not working in my search for specific sourcetype

Gowtham0809
New Member

Hi,

I been using fill null commands on my other searched without any issue, but in a specific case i am unable to get any response by using fillnull,

the data is indexed by a source type called CSV, (specific for CSV files), I will have 1000's of empty values in fields so I need to filter our based on my needs. one on my need is to filter it my means if null values. SO I want to replace the empty values in a filled with value-NULL. I used below format.

field name =""RWI State" and i used the fillnull as ....| fillnull value=NULL "RWI State".

but its not filling the filed with NULL values

Thanks

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

First of all, fields with spaces are EVIL but try this:

... | fillnull value="NULL" "RWI State"

If that doesn't work, then try this:

| eval "RWI State" = if(len('RWI State') == 0, "NULL", 'RWI State')

View solution in original post

woodcock
Esteemed Legend

First of all, fields with spaces are EVIL but try this:

... | fillnull value="NULL" "RWI State"

If that doesn't work, then try this:

| eval "RWI State" = if(len('RWI State') == 0, "NULL", 'RWI State')

Gowtham0809
New Member

Thanks for the update, I have many fields such as "RWI State", So so I need to use EVAL for all my fields, or can i do it for all the fields to replace null values. Note, I have too many fields in my data sheet.

0 Karma

woodcock
Esteemed Legend

There is the foreach command that you can use to cover multiple fields with one command.

0 Karma

Gowtham0809
New Member

adding to the post, replace command works with replacing empty values NULL. MY usecase is to use fillnull

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...