Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Join - how do I fillnull on a join?

the_wolverine
Champion
‎09-21-2012 11:46 AM

Join is much more efficient. Is it possible to fillnull on a join so that I can collect the results for events for which there isn't an event to join?

sourcetype=1 | join host [ search sourcetype=2 | fields host,result ] | table host,result

Reply

sbsbb
Builder
‎06-29-2013 04:03 AM

you can also set the join type to left for example :

sourcetype=1 | join type=left host [ search sourcetype=2 | fields host,result ] | table host,result

http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Join

then you will see every restults from sourcetype, and where there is no events from sourcetype2, the field will only be empty. If you want in place of empty, a 0, then you can add a fillnull...

sourcetype=1 | join type=left host [ search sourcetype=2 | fields host,result ] | fillnull value=0 | table host,result

http://docs.splunk.com/Special:SplunkSearch/docs?q=fillnull

Reply

jfcshunter
Explorer
‎07-21-2021 03:48 AM

Good answer thanks, link updated for newest version (July 2021): 

https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Join

Tags (1)
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎09-21-2012 08:31 PM

If this is related to your transaction question (http://splunk-base.splunk.com/answers/59493/mostmore-efficient-way-of-counting-incomplete-transactio...) , you may be disappointed here. I think join will run into subsearch limits and not give you the results you desire when there are enough rows to be joined.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...