Splunk Cloud

Search Reference

Download manual as PDF

Download topic as PDF

fillnull

Description

Replaces null values with a specified value. Null values are field values that are missing in a particular result but present in another result. Use fillnull to replace null field values with a string. If you do not specify a field list, fillnull replaces all null values with 0 (the default) or a user-supplied string.

Syntax

fillnull [value=string] [<field-list>]

Optional arguments

field-list
Syntax: <field>...
Description: One or more fields, delimited with a space. If not specified, fillnull is applied to all fields.
value
Datatype: value=<string>
Description: Specify a string value to replace null values.
Default: 0

Usage

The fillnull command is a distributable streaming command when a field-list is specified. When no field-list is specified, the fillnull command fits into the dataset processing type. See Command types.

Examples

Example 1:

For the current search results, fill all empty fields with NULL.

... | fillnull value=NULL

Example 2:

For the current search results, fill all empty field values of "foo" and "bar" with NULL.

... | fillnull value=NULL foo bar

Example 3:

For the current search results, fill all empty fields with zero.

... | fillnull

Example 4:

Build a time series chart of web events by host and fill all empty fields with NULL.

sourcetype="web" | timechart count by host | fillnull value=NULL

See also

filldown
streamstats

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the fillnull command.

PREVIOUS
filldown
  NEXT
findtypes

This documentation applies to the following versions of Splunk Cloud: 6.6.3, 7.0.0, 7.0.2, 7.0.3, 7.0.5, 7.1.3


Comments

Rsimons99

Definitely using the fillnull command with an explicit list is much better. Without a list, the command has to retrieve all of the events first to know what all of the fields are. Especially for large number of events, having no list is hugely expensive.

Lstewart splunk, Splunker
March 13, 2017

For performance of the search is it faster to specify fillnull without any fields or fillnull with a field list or a fillnull for each field?
| fillnull value=NULL
| fillnull value=NULL field1 field2 field3
| fillnull value=NULL field1 | fillnull value=NULL field2 | fillnull value=NULL field3

Rsimons99
February 24, 2017

SloshBurch – The fillnull command with no arguments is supposed to consider every field that exists in the input and makes sure that all of those fields exist in every event.

Crobicha – The fillnull command should not prevent drilldown. It might result in a less efficient drilldown search as Splunk can’t push field=value comparisons before the fillnull command into the search clause, because the fillnull command modifies field values. If the search is for a dashboard, you can customize the drill down behavior in the dashboard.

Lstewart splunk, Splunker
December 4, 2015

Note: I am not sure if this is by design/bug/oversight, but if you append and then use "fillnull", it will not work for all fields; only those fields that exist for each search set will get filled. This is kind of a bummer.

Woodcock
December 3, 2015

In a similar situation on our end with Example 3, fillnull does not fill the value without explicitly listing every field. Would you please clarify the default behavior?

SloshBurch
December 3, 2013

It seems that using the fillnull command prevents you from being able to drilldown, is there any way around this?

Crobicha
October 17, 2011

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters