Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Fillnull command is not working in my search for specific sourcetype

Gowtham0809
New Member
‎07-29-2019 10:42 PM

Hi,

I been using fill null commands on my other searched without any issue, but in a specific case i am unable to get any response by using fillnull,

the data is indexed by a source type called CSV, (specific for CSV files), I will have 1000's of empty values in fields so I need to filter our based on my needs. one on my need is to filter it my means if null values. SO I want to replace the empty values in a filled with value-NULL. I used below format.

field name =""RWI State" and i used the fillnull as ....| fillnull value=NULL "RWI State".

but its not filling the filed with NULL values

Thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-29-2019 10:55 PM

First of all, fields with spaces are EVIL but try this:

... | fillnull value="NULL" "RWI State"

If that doesn't work, then try this:

| eval "RWI State" = if(len('RWI State') == 0, "NULL", 'RWI State')

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-29-2019 10:55 PM

First of all, fields with spaces are EVIL but try this:

... | fillnull value="NULL" "RWI State"

If that doesn't work, then try this:

| eval "RWI State" = if(len('RWI State') == 0, "NULL", 'RWI State')
Reply
Solved! Jump to solution

Gowtham0809
New Member
‎07-30-2019 02:37 AM

Thanks for the update, I have many fields such as "RWI State", So so I need to use EVAL for all my fields, or can i do it for all the fields to replace null values. Note, I have too many fields in my data sheet.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-30-2019 10:38 AM

There is the foreach command that you can use to cover multiple fields with one command.

0 Karma
Reply
Solved! Jump to solution

Gowtham0809
New Member
‎07-29-2019 10:44 PM

adding to the post, replace command works with replacing empty values NULL. MY usecase is to use fillnull

0 Karma
Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...