Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Showing all fields in search (including empty)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I would like to know how to show all fields in the search even when results are all empty for some of the fields.
I've tried
| fillnull value="NA"
but that only works when there's at least a value in the empty field.
So, I would like splunk to show the following:
header 1 | header2 | header 3
value 1 | < empty > | value 3
value 1 | < empty > | value 3
value 1 | < empty > | value 3
value 1 | < empty > | value 3
value 1 | < empty > | value 3
I would appreciate for any suggestions on this.
Also, I understand that one can also possible do something like
| eval header2=""
but I have over 200 fields and about a handful of them are not filled out depending on situations and would hope to see if there's a better way to do this than listing all the header fields manually in the beginning.
Cheers!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have 2 solutions:
You create a macro and use it like this:
... | `myfillnull()` | ...
Inside this macro you would iterate out every field like this:
eval header1=coalesce(header1,"N/A") | eval header2=coalesce(header2,"N/A") | ... | eval headerN=coalesce(headerN,"N/A")
Alternatively, you could create a lookup with each field laid out like this:
useThisToStripOut,header1,header2,...,headerN
useThisToStripOut,N/A,N/A,...,N/A
Then you could force each field to exist at least once by with append, then use fillnull, then remove the appended event like this:
... | append [|lookupcsv myfillnull] | fillnull value="N/A" | where isnotnull(usetThisToStripOut)
The latter is probably more efficient.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have 2 solutions:
You create a macro and use it like this:
... | `myfillnull()` | ...
Inside this macro you would iterate out every field like this:
eval header1=coalesce(header1,"N/A") | eval header2=coalesce(header2,"N/A") | ... | eval headerN=coalesce(headerN,"N/A")
Alternatively, you could create a lookup with each field laid out like this:
useThisToStripOut,header1,header2,...,headerN
useThisToStripOut,N/A,N/A,...,N/A
Then you could force each field to exist at least once by with append, then use fillnull, then remove the appended event like this:
... | append [|lookupcsv myfillnull] | fillnull value="N/A" | where isnotnull(usetThisToStripOut)
The latter is probably more efficient.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a follow up to the question that was previously asked but no conclusion was achieved.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That question not only has answers, one of them was "conclusively" Accepted as "the answer".
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
