Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Split is converting my empty strings back into null?

nick405060
Motivator
‎01-27-2020 04:36 PM

This query kills morejunk even though it should NOT be doing so:

| makeresults | eval a="1 2" | eval b="junk" | append [| makeresults | eval b="morejunk"] | fillnull value="" | eval a=split(a," ") | mvexpand a | table a b

It works if you move the fillnull after the split. I am very aware mvexpand removes null values.

This is a bug, right? There's no way that split is meant to return null for any STRING value it can't split, right? Because otherwise it would be effectively mean death to use split in conjunction with mvexpand without a fillnull directly in between them.

Reply

nick405060
Motivator
‎03-19-2020 10:26 AM

Hi Nick,

Another quick update:
Engineering confirmed and is now planning to have the fix for SPL-182511 in 8.0.4+ (this can still change).

Please let me know if there is any further questions.

Maarten Hoogcarspel
Splunk Technical Support

0 Karma
Reply

to4kawa
Ultra Champion
‎02-01-2020 02:34 PM

mvexpand OR stats count by multivalue remove null values.
They are useful. so, I think It' not a bug.

Conversely, do you have problems removing Null?
If it is a known problem, I think fillnull can be used.

Just as index=hoo your_field!= "" and index= foo NOT your_field="" are different, the treatment of NULL in Statistics and Events seems to be different.
In Events
Null means there are no fields.
In Statistics
Null means that the field has no value.
How do you think this?

| makeresults
| eval z=""
| fields z a b c
| fillnull a b c z

However, this result is...

0 Karma
Reply

nick405060
Motivator
‎02-03-2020 12:54 PM

I downvoted this post because I don't think you read the question. The entire point is that split is converting empty strings into null values even when you use fillnull beforehand...

0 Karma
Reply

jbrocks
Communicator
‎02-01-2020 09:41 AM

I think you need to rename the "a", because you define a new by eval and the refer to the old a. Did you try | eval c=split(a, " ")?

0 Karma
Reply

nick405060
Motivator
‎02-03-2020 12:57 PM

You can eval a field back into itself. This should not be the problem here.

Also I tried evaling to a new field and then mvexpanding that new field per your suggestion, and it is still the same issue.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...