Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to replace null fields at index-time?

bvivi57
Observer
‎07-27-2016 07:58 AM

Hi,

I have to search saved as quickly as possible. I CSV indexes whose columns are sometimes empty. I have to put a value by default with the fillnull command because the data is used by external software (Tableau )

The docs say (https://docs.splunk.com/Documentation/ODBC/2.1.0/UseODBC/Troubleshooting 😞

"Null fields are not handled in the same way as you might be used to with other database systems. For example, they might inconsistently appear when you add or remove columns to your query.
This behavior is expected. To prevent this from happening, add functionality to your report (saved search in Splunk Enterprise 5) that gives null fields a constant literal value—for example, the string "Null". This ensures that null fields appear consistently."

But the command fillnull slowed search. So I would like the empty fields or tagged it with a value by default to avoid calling the fillnull order. It is possible?

0 Karma
Reply

sjohnson_splunk
Splunk Employee
Splunk Employee
‎08-01-2016 05:48 PM

Your props.conf setting looks correct. This operation is performed at index time. Are you pushing it in an app to your indexer or heavy forwarder?

0 Karma
Reply

bvivi57
Observer
‎08-02-2016 01:05 AM

My apps is on Heavy Forwarder (Windows Server 2012 R2) and on Search Head (Centos 7). I have nothing on my Indexer (Centos 7).

0 Karma
Reply

somesoni2
Revered Legend
‎07-27-2016 09:46 AM

The fillnull done at search time will cause in-efficient searching and fillnull done at index time will cause in-efficient indexing. If you're willing to do that, you've something called SEDCMD in props.conf (to be put in the sourcetype definition at the indexers), using which you can replace blank values to something suiting your need. (e.g. for your csv data, replacing ,, with ,Null,.

E.g.

[yoursourcetype]
..other settings..
SEDCMD-replaceblanks = s/,,/,Null,/g
Reply

bvivi57
Observer
‎07-27-2016 10:51 AM

Hi,
Thanks for your help. I can almost my goal. But the fields do not have the value "Null"
I have this configuration on my props.conf

SEDCMD-replaceblanks = s/;;/;Null;/g

Ans the result is
alt text

But I seek to have this result
alt text

0 Karma
Reply

somesoni2
Revered Legend
‎07-27-2016 11:07 AM

Seems like the field extraction is broken. Could you post the props/transforms in Search Head for your sourcetype?

0 Karma
Reply

bvivi57
Observer
‎07-28-2016 02:15 AM

Hi,
Thank for your help !

My props.conf :

[csv_report_tab]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIMESTAMP_FIELDS = date
TIME_FORMAT = %d/%m/%Y
category = Structured
description = "Source type du fichier CSV"
disabled = false
pulldown_type = true
SEDCMD-replaceblanks = s/;;/;Null;/g
TRANSFORMS-id_source = trans_id_source

My transforms.conf

[trans_id_source]
SOURCE_KEY = MetaData:Source
REGEX = ^(?:[^\\\n]*\\){7}\w+_(?P<portefeuille_id>\d+)_(?P<date_trt>\d+)_(?P<id_dollaru>\d+)
FORMAT = portefeuille_id::$1 date_trt::$2 id_dollaru::$3 base::$1"_"$2
WRITE_META = true
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...