Splunk Search

I need to fill missing values in a search as NULL

abhijitp
Path Finder

I need to fill missing values from search items as NULL (not the string, but actual NULL values)

I see options to check if the values is NULL (isnull) or even fill NULL values with a string (fillnull). But what I need is to write the value to be NULL.

I searched but could not get an answer.

Thanks for all the help in this matter.
Abhi

Tags (1)
1 Solution

sideview
SplunkTrust
SplunkTrust

it's just null()

So you can do things like

| eval foo=if(sky="blue",foo,null())   

that would conditionally erase the field "foo" from any rows that claim the sky is not blue.

Extra reading: A fair number of examples out there use "null" as though it was a reserved keyword in the eval command but it is not. those examples just happen to work because there is generally not a field called "null", and eval allows you to name any field at all. thus specifying null is the same as nonexistentField, and is generally null valued...

View solution in original post

kartik13
Communicator

Try this , it resolved my problem.

|fillnull value="#"

0 Karma

MuS
Legend

Hi abhijitp,

did you look at the eval function null() http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/CommonEvalFunctions ?

null()  
This function takes no arguments and returns NULL. 
The evaluation engine uses NULL to represent "no value"; setting a field to NULL clears its value.

Hope this helps ...

cheers, MuS

sideview
SplunkTrust
SplunkTrust

it's just null()

So you can do things like

| eval foo=if(sky="blue",foo,null())   

that would conditionally erase the field "foo" from any rows that claim the sky is not blue.

Extra reading: A fair number of examples out there use "null" as though it was a reserved keyword in the eval command but it is not. those examples just happen to work because there is generally not a field called "null", and eval allows you to name any field at all. thus specifying null is the same as nonexistentField, and is generally null valued...

abhijitp
Path Finder

Thanks all the help. It worked as I wanted using this

| eval foo=if(sky="blue",foo,null())

0 Karma

MuS
Legend

Again too slow today 🙂

0 Karma

woodcock
Esteemed Legend

I tied @sideview yesterday on an answer and we both had typos but OP selected him.

0 Karma

MuS
Legend

HeHe, I have no problem at all if an OP selects @sideview 's answer to be the right one over mine, because @sideview will be for sure more right/correct/precise then I am !

This is also because I do not know Splunk © .... I'm still learning and I have no problem at all to admit that fact 😉

0 Karma

sideview
SplunkTrust
SplunkTrust

I've picked up that old habit of answering questions the moment I get the "expert" notification from Splunk, but I do have that haunting feeling as I type, that someone else might be answering simultaneously. omg type faster!

0 Karma

abhijitp
Path Finder

I really love the camaraderie 🙂

0 Karma

abhijitp
Path Finder

Thanks. Let me try this out.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...