nice, this ends in transforms.conf as default_match
default_match = <string>
* If min_matches > 0 and Splunk has less than min_matches for any given input, it provides
this default_match value one or more times until the min_matches threshold is reached.
* Defaults to empty string.
you could setup an eval-based statement in props.conf :
EVAL-<fieldname> = <eval statement>
* Use this to automatically run the <eval statement> and assign the value of the output
to <fieldname>. This creates a "calculated field."
* When multiple EVAL-* statements are specified, they behave as if
they are run in parallel, rather than in any particular sequence.
For example say you have two statements: EVAL-x = y*2 and EVAL-y=100. In this case, "x"
will be assigned the original value of "y * 2," not the value of "y" after it is set to 100.
* Splunk processes calculated fields after field extraction and field aliasing but before
lookups. This means that:
* You can use a field alias in the eval statement for a calculated field.
* You cannot use a field added through a lookup in an eval statement for a calculated
The eval could look like this:
EVAL-amount = if(isnull(amount), "100" , amount)
This is untested so maybe you need to adapt it to your needs