Splunk Search

Why does Fillnull not work without specifying a field?

606866581
Path Finder

Hi,
If I try to run this search, the value of my_null_field doesn't change to "?"

| makeresults 
| table _time my_null_field
| fillnull value="?"

The fillnull documentation says that if you don't specify a field it should apply to all fields. Strangely when I specify that field it works!

| makeresults 
| table _time my_null_field
| fillnull my_null_field value="?"

Even if I do

| eval my_null_field = null()

before the fillnull, it's still not adding the question mark.

Does anyone know if I'm missing something or if this is a bug?
Cheers

Labels (1)

kamlesh_vaghela
SplunkTrust
SplunkTrust

HI @606866581 ,

Yeah It's strange.

But when I go through documentation I found a sentence in description.

Null values are field values that are missing in a particular result but present in another result

Description
Replaces null values with a specified value. **Null values are field values that are missing in a particular result but present in another result**. Use fillnull to replace null field values with a string. If you do not specify a field list, fillnull replaces all null values with 0 (the default) or a user-supplied string

I think it is considering those field who has value from whole result.

Please execute below search:

| makeresults 
| eval my_null_field = "Test" 
| table _time my_null_field 
| append 
    [| makeresults 
    | table _time my_null_field 
        ] 
| fillnull value=NULL

Documentation Link : http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/fillnull

Happy Splunking

anirbandasdeb
Path Finder

Hi @kamlesh_vaghela

the documentation states:

Description
Replaces null values with a specified value. Null values are field values that are missing in a particular result but present in another result. Use fillnull to replace null field values with a string. If you do not specify a field list, fillnull replaces all null values with 0 (the default) or a user-supplied string.

The last sentence in bold is interesting.

But your example is also quite good, which leads me to believe that either the documentation is unclear on this, and should be updated, or, this is a bug.

0 Karma

TISKAR
Builder

Hello,

You are right, i test in Splunk Entreprise 7.1 i have the same probleme,
You can use if function

| makeresults 
 | table _time my_null_field | eval my_null_field =if(isnull(my_null_field),"?","")
0 Karma

janispelss
Path Finder

Seems that for some reason the behavior is different, based on what the original data type was. I got the same results for the queries that you tried. Same problem when starting with a lookup. But starting with indexed data worked, so something like
index=_internal
| table _time, field_that_definitely_doesnt_exist
| fillnull value="?"

produced the expected result with the field_that_definitely_doesnt_exist field filled with "?".

Edit: For me the above query, that starts from indexed data, works in 7.0.3, but not in 7.1.0. Weird.

Richfez
SplunkTrust
SplunkTrust

I can reproduce on 7.0.3, so it seems like it's a bug in fillnull.

Will check 7.1 after I get the kids off to school. If it fails there, then I'd file a docs feedback on the fillnull page and let them confirm, and/or a support ticket and make them fix it.

Nice catch!

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...