Splunk Search

field value appears to be null


I'm running a search (below) that has results that sometimes in certain fields will display in the gui as empty (null) but aren't.  We I export the results I see "" as the value in the field.  I've tried several things to populate this field with data so I can search on it but I've had no luck.  Any thoughts / guidance is greatly appreciated.

search string:

| rest /servicesNS/-/-/saved/searches | where disabled=0 AND splunk_server="some_server"

| fillnull value=na next_scheduled_time


When I export the results and open in notepad, results are below:


"Access - Distinct Sources","","-48h@h",now,24h,"",
"Access - Distinct Users","","-48h@h",now,24h,"",

Labels (1)
0 Karma


This may be kind of crazy but it works:

| rest /servicesNS/-/-/saved/searches | where disabled=0 AND splunk_server="my_splunk_server"
| eval n=strptime(next_scheduled_time, "%Y-%m-%d %H:%M:%S %Z")
| eval y=if(isnum(n), "yes", "no")
| search y="yes"
| table next_scheduled_time n y

0 Karma