Following search is working perfectly fine. If
field1 is Null it gets substitute by
search | fillnull value="RandomString1" field1 | stats count by field1, field2, field3
Now, if my
filed2 is Null, I want to substitute it by
In short I want to update multiple fileds with different value in
@ataunk if you need to replace null values as different values based on different fields, you would need to use separate pipes for fillnull.
<yourCurrentSearch> | fillull value="RandomString1" field1 | fillull value="RandomString2" field2 ...
I tried that, it did not help. I am not getting "RandomString2" in the result set. The particular row is getting elemninated.
But, "RandomString1" does shows up.
Try the following
<yourCurrentSearch> | eval field1=if(isnull(field1),"randomValue1",field1), field2=if(isnull(field2),"randomValue2",field2)
If does not work as expected, please give your current search and also some sample events with and without field1 and field2 respectively.
Niket's answer will work perfectly well, but over time I've migrated to using
coalesce, like so:
| eval field1=coalesce(field1,"randomValue1"), field2=coalesce(field2,"randomValue2")
It's a little more readable and can also handle multiple fields in the argument section as well. It's really just a matter of preference.
See this run-anywhere example which works just fine. The
never field never exists and the
name field exists about half the time and the
sourcetype field exists all the time. There is no reason that multiple
fillnull calls should not work:
index=_internal | fillnull value="RandomString1" name | fillnull value="RandomString2" never | stats count BY name, never, sourcetype