Splunk Search
Highlighted

adding multiple fields and value for fillnull

Explorer

Following search is working perfectly fine. If field1 is Null it gets substitute by RandomString1

search
| fillnull value="RandomString1" field1
| stats count by field1, field2, field3

Now, if my filed2 is Null, I want to substitute it by RandomString2.

In short I want to update multiple fileds with different value in fillnull

0 Karma
Highlighted

Re: adding multiple fields and value for fillnull

Legend

@ataunk if you need to replace null values as different values based on different fields, you would need to use separate pipes for fillnull.

<yourCurrentSearch>
| fillull value="RandomString1" field1
| fillull value="RandomString2" field2
... 



| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: adding multiple fields and value for fillnull

Explorer

I tried that, it did not help. I am not getting "RandomString2" in the result set. The particular row is getting elemninated.

But, "RandomString1" does shows up.

0 Karma
Highlighted

Re: adding multiple fields and value for fillnull

Legend

Try the following

<yourCurrentSearch>
| eval field1=if(isnull(field1),"randomValue1",field1), field2=if(isnull(field2),"randomValue2",field2)

If does not work as expected, please give your current search and also some sample events with and without field1 and field2 respectively.




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: adding multiple fields and value for fillnull

Explorer

This worked thanks!

0 Karma
Highlighted

Re: adding multiple fields and value for fillnull

SplunkTrust
SplunkTrust

@ataunk - We've moved the comment to be an answer. Please accept the answer so that the question will show as solved.

Highlighted

Re: adding multiple fields and value for fillnull

Legend

Thanks Dal 🙂




| eval message="Happy Splunking!!!"


Highlighted

Re: adding multiple fields and value for fillnull

Path Finder

Niket's answer will work perfectly well, but over time I've migrated to using coalesce, like so:

| eval field1=coalesce(field1,"randomValue1"), field2=coalesce(field2,"randomValue2")

It's a little more readable and can also handle multiple fields in the argument section as well. It's really just a matter of preference.

0 Karma
Highlighted

Re: adding multiple fields and value for fillnull

Esteemed Legend

See this run-anywhere example which works just fine. The never field never exists and the name field exists about half the time and the sourcetype field exists all the time. There is no reason that multiple fillnull calls should not work:

index=_internal
| fillnull value="RandomString1" name
| fillnull value="RandomString2" never
| stats count BY name, never, sourcetype
0 Karma