fillnull
Description
Replaces null values with a specified value. Null values are field values that are missing in a particular result but present in another result. Use the fillnull command to replace null field values with a string. You can replace the null values in one or more fields. You can specify a string to fill the null field values or use the default, field value which is zero ( 0 ).
Syntax
The required syntax is in bold.
- fillnull
- [value=<string>]
- [<field-list>]
Required arguments
None.
Optional arguments
- field-list
- Syntax: <field>...
- Description: A space-delimited list of one or more fields. If you specify a field list, all of the fields in that list are filled in with the
valueyou specify. If you specify a field that didn't previously exist, the field is created. If you do not specify a field list, thevalueis applied to all fields.
- value
- Syntax: value=<string>
- Description: Specify a string value to replace null values. If you do not specify a value, the default value is applied to the <field-list>.
- Default: 0
Usage
The fillnull command is a distributable streaming command when a field-list is specified. When no field-list is specified, fillnull is a dataset processing command. See Command types.
Examples
1. Fill all empty field values with the default value
Your search has produced the following search results:
| _time | ACCESSORIES | ARCADE | SHOOTER | SIMULATION | SPORTS | STRATEGY | TEE |
|---|---|---|---|---|---|---|---|
| 2021-03-17 | 5 | 17 | 6 | 3 | 5 | 32 | |
| 2021-03-16 | 63 | 39 | 30 | 22 | 127 | 56 | |
| 2021-03-15 | 65 | 94 | 38 | 42 | 128 | 60 |
You can fill all of empty field values with a zero ( 0 ) by adding the fillnull command to the end of your search.
... | fillnull
The search results will look like this:
| _time | ACCESSORIES | ARCADE | SHOOTER | SIMULATION | SPORTS | STRATEGY | TEE |
|---|---|---|---|---|---|---|---|
| 2021-03-17 | 5 | 17 | 6 | 3 | 5 | 32 | 0 |
| 2021-03-16 | 0 | 63 | 39 | 30 | 22 | 127 | 56 |
| 2021-03-15 | 65 | 94 | 38 | 42 | 0 | 128 | 60 |
2. Fill all empty fields with the string "NULL"
For the current search results, fill all empty field values with the string "NULL".
... | fillnull value=NULL
Using the search results from the previous example, adding value=NULL to the end of your search changes the results to this:
| _time | ACCESSORIES | ARCADE | SHOOTER | SIMULATION | SPORTS | STRATEGY | TEE |
|---|---|---|---|---|---|---|---|
| 2021-03-17 | 5 | 17 | 6 | 3 | 5 | 32 | NULL |
| 2021-03-16 | NULL | 63 | 39 | 30 | 22 | 127 | 56 |
| 2021-03-15 | 65 | 94 | 38 | 42 | NULL | 128 | 60 |
3. Fill the specified fields with the string "unknown"
Your search has produced the following search results:
| _time | host | average_kbps | instanenous_kbps | kbps |
|---|---|---|---|---|
| 2021/02/14 12:00 | danube.sample.com | 1.865 | 3.420 | |
| 2021/02/14 11:53 | mekong.buttercupgames.com | 0.710 | 0.164 | 1.256 |
| 2021/02/14 11:47 | danube.sample.com | 1.325 | 2.230 | |
| 2021/02/14 11:42 | yangtze.buttercupgames.com | 2.249 | 0.000 | 2.249 |
| 2021/02/14 11:39 | 2.874 | 3.841 | 1.906 | |
| 2021/02/14 11:33 | nile.example.net | 2.023 | 0.915 |
You can fill all empty field values in the "host" and "kbps" fields with the string "unknown" by adding the fillnull command to your search.
... | fillnull value=unknown host kbps
| _time | host | average_kbps | instanenous_kbps | kbps |
|---|---|---|---|---|
| 2021/02/14 12:00 | danube.sample.com | 1.865 | 3.420 | |
| 2021/02/14 11:53 | mekong.buttercupgames.com | 0.710 | 0.164 | 1.256 |
| 2021/02/14 11:47 | danube.sample.com | 1.325 | 2.230 | |
| 2021/02/14 11:42 | yangtze.buttercupgames.com | 2.249 | 0.000 | 2.249 |
| 2021/02/14 11:39 | unknown | 2.874 | 3.841 | 1.906 |
| 2021/02/14 11:33 | nile.example.net | 2.023 | 0.915 | unknown |
if you specify a field that does not exist, the field is created and the value you specify is added to the new field.
For example if you specify bytes in the field list, the bytes field is created and filled with the string "unknown".
... | fillnull value=unknown host kbps bytes
| _time | host | average_kbps | instanenous_kbps | kbps | bytes |
|---|---|---|---|---|---|
| 2021/02/14 12:00 | danube.sample.com | 1.865 | 3.420 | unknown | |
| 2021/02/14 11:53 | mekong.buttercupgames.com | 0.710 | 0.164 | 1.256 | unknown |
| 2021/02/14 11:47 | danube.sample.com | 1.325 | 2.230 | unknown | |
| 2021/02/14 11:42 | yangtze.buttercupgames.com | 2.249 | 0.000 | 2.249 | unknown |
| 2021/02/14 11:39 | unknown | 2.874 | 3.841 | 1.906 | unknown |
| 2021/02/14 11:33 | nile.example.net | 2.023 | 0.915 | unknown | unknown |
4. Use the fillnull command with the timechart command
Build a time series chart of web events by host and fill all empty fields with the string "NULL".
sourcetype="web" | timechart count by host | fillnull value=NULL
See also
| filldown | findtypes |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12
Download manual
Feedback submitted, thanks!