I need to fill missing values from search items as NULL (not the string, but actual NULL values)
I see options to check if the values is NULL (isnull) or even fill NULL values with a string (fillnull). But what I need is to write the value to be NULL.
I searched but could not get an answer.
Thanks for all the help in this matter.
Abhi
it's just null()
So you can do things like
| eval foo=if(sky="blue",foo,null())
that would conditionally erase the field "foo" from any rows that claim the sky is not blue.
Extra reading: A fair number of examples out there use "null" as though it was a reserved keyword in the eval command but it is not. those examples just happen to work because there is generally not a field called "null", and eval allows you to name any field at all. thus specifying null is the same as nonexistentField, and is generally null valued...
Try this , it resolved my problem.
|fillnull value="#"
Hi abhijitp,
did you look at the eval
function null()
http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/CommonEvalFunctions ?
null()
This function takes no arguments and returns NULL.
The evaluation engine uses NULL to represent "no value"; setting a field to NULL clears its value.
Hope this helps ...
cheers, MuS
it's just null()
So you can do things like
| eval foo=if(sky="blue",foo,null())
that would conditionally erase the field "foo" from any rows that claim the sky is not blue.
Extra reading: A fair number of examples out there use "null" as though it was a reserved keyword in the eval command but it is not. those examples just happen to work because there is generally not a field called "null", and eval allows you to name any field at all. thus specifying null is the same as nonexistentField, and is generally null valued...
Thanks all the help. It worked as I wanted using this
| eval foo=if(sky="blue",foo,null())
Again too slow today 🙂
I tied @sideview yesterday on an answer and we both had typos but OP selected him.
HeHe, I have no problem at all if an OP selects @sideview 's answer to be the right one over mine, because @sideview will be for sure more right/correct/precise then I am !
This is also because I do not know Splunk ©
.... I'm still learning and I have no problem at all to admit that fact 😉
I've picked up that old habit of answering questions the moment I get the "expert" notification from Splunk, but I do have that haunting feeling as I type, that someone else might be answering simultaneously. omg type faster!
I really love the camaraderie 🙂
Thanks. Let me try this out.