Hi,
If I try to run this search, the value of my_null_field doesn't change to "?"
| makeresults
| table _time my_null_field
| fillnull value="?"
The fillnull documentation says that if you don't specify a field it should apply to all fields. Strangely when I specify that field it works!
| makeresults
| table _time my_null_field
| fillnull my_null_field value="?"
Even if I do
| eval my_null_field = null()
before the fillnull, it's still not adding the question mark.
Does anyone know if I'm missing something or if this is a bug?
Cheers
HI @606866581 ,
Yeah It's strange.
But when I go through documentation I found a sentence in description.
Null values are field values that are missing in a particular result but present in another result
Description
Replaces null values with a specified value. **Null values are field values that are missing in a particular result but present in another result**. Use fillnull to replace null field values with a string. If you do not specify a field list, fillnull replaces all null values with 0 (the default) or a user-supplied string
I think it is considering those field who has value from whole result.
Please execute below search:
| makeresults
| eval my_null_field = "Test"
| table _time my_null_field
| append
[| makeresults
| table _time my_null_field
]
| fillnull value=NULL
Documentation Link : http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/fillnull
Happy Splunking
Hi @kamlesh_vaghela
the documentation states:
Description
Replaces null values with a specified value. Null values are field values that are missing in a particular result but present in another result. Use fillnull to replace null field values with a string. If you do not specify a field list, fillnull replaces all null values with 0 (the default) or a user-supplied string.
The last sentence in bold is interesting.
But your example is also quite good, which leads me to believe that either the documentation is unclear on this, and should be updated, or, this is a bug.
Hello,
You are right, i test in Splunk Entreprise 7.1 i have the same probleme,
You can use if function
| makeresults
| table _time my_null_field | eval my_null_field =if(isnull(my_null_field),"?","")
Seems that for some reason the behavior is different, based on what the original data type was. I got the same results for the queries that you tried. Same problem when starting with a lookup. But starting with indexed data worked, so something like
index=_internal
| table _time, field_that_definitely_doesnt_exist
| fillnull value="?"
produced the expected result with the field_that_definitely_doesnt_exist field filled with "?".
Edit: For me the above query, that starts from indexed data, works in 7.0.3, but not in 7.1.0. Weird.
I can reproduce on 7.0.3, so it seems like it's a bug in fillnull.
Will check 7.1 after I get the kids off to school. If it fails there, then I'd file a docs feedback on the fillnull page and let them confirm, and/or a support ticket and make them fix it.
Nice catch!