Re: what is the difference between 'usenull' and '...

aarthirajaraman · ‎02-27-2017

I want to know what is the difference between usenull and fillnull command in the splunk? can anyone help me with it to get a clear idea about it?

cmerriman · ‎02-28-2017

fillnull fills all the null values in the results of a specific field/fields/all fields with a value (defaulted as 0)
https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Fillnull

|fillnull FIELD value="N/A"

usenull is used in charting commands like timechart or chart for when you want a series created for events that don't have the split-by field.
http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Chart

|chart count by FIELD usenull=t nullstr="N/A"

youngsuh · ‎10-25-2020

"sourcetype=access_* status=200 action=purchase | chart dc(clientip) OVER date_hour BY categoryId usenull=f

This search takes the purchase events and pipes it into the chart command. The dc() or distinct_count() function is used to count the number of unique visitors (characterized by the clientip field). This number is then charted over each hour of the day and broken out based on the category_id of the purchase. Also, because these are numeric values, the search uses the usenull=f argument to exclude fields that don't have a value."

what is the difference between 'usenull' and 'fillnull' command in splunk?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation