Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Split is converting my empty strings back into nul...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Split is converting my empty strings back into null?
nick405060
Motivator
01-27-2020
04:36 PM
This query kills morejunk even though it should NOT be doing so:
| makeresults | eval a="1 2" | eval b="junk" | append [| makeresults | eval b="morejunk"] | fillnull value="" | eval a=split(a," ") | mvexpand a | table a b
It works if you move the fillnull after the split. I am very aware mvexpand removes null values.
This is a bug, right? There's no way that split is meant to return null for any STRING value it can't split, right? Because otherwise it would be effectively mean death to use split in conjunction with mvexpand without a fillnull directly in between them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nick405060
Motivator
03-19-2020
10:26 AM
Hi Nick,
Another quick update:
Engineering confirmed and is now planning to have the fix for SPL-182511 in 8.0.4+ (this can still change).
Please let me know if there is any further questions.
Maarten Hoogcarspel
Splunk Technical Support
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
02-01-2020
02:34 PM
mvexpand OR stats count by multivalue remove null values.
They are useful. so, I think It' not a bug.
Conversely, do you have problems removing Null?
If it is a known problem, I think fillnull can be used.
Just as index=hoo your_field!= "" and index= foo NOT your_field="" are different, the treatment of NULL in Statistics and Events seems to be different.
In Events
Null means there are no fields.
In Statistics
Null means that the field has no value.
How do you think this?
| makeresults
| eval z=""
| fields z a b c
| fillnull a b c z
However, this result is...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nick405060
Motivator
02-03-2020
12:54 PM
I downvoted this post because I don't think you read the question. The entire point is that split is converting empty strings into null values even when you use fillnull beforehand...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jbrocks
Communicator
02-01-2020
09:41 AM
I think you need to rename the "a", because you define a new by eval and the refer to the old a. Did you try | eval c=split(a, " ")?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nick405060
Motivator
02-03-2020
12:57 PM
You can eval a field back into itself. This should not be the problem here.
Also I tried evaling to a new field and then mvexpanding that new field per your suggestion, and it is still the same issue.
Get Updates on the Splunk Community!
Security Professional: Sharpen Your Defenses with These .conf25 Sessions
Sooooooooooo, guess what.
.conf25 is almost here, and if you're on the Security Learning Path, this is your ...
First Steps with Splunk SOAR
Our first step was to gather a list of the playbooks we wanted and to sort them by priority. Once this list ...
How To Build a Self-Service Observability Practice with Splunk Observability Cloud
If you’ve read our previous post on self-service observability, you already know what it is and why it ...
