Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Download topic as PDF

fillnull

Description

Replaces null values with a specified value. Null values are field values that are missing in a particular result but present in another result. Use fillnull to replace null field values with a string. If you do not specify a field list, fillnull replaces all null values with 0 (the default) or a user-supplied string.

Syntax

fillnull [value=string] [<field-list>]

Optional arguments

field-list
Syntax: <field>...
Description: One or more fields, delimited with a space. If not specified, fillnull is applied to all fields.
value
Datatype: value=<string>
Description: Specify a string value to replace null values.
Default: 0

Usage

The fillnull command is a distributable streaming command when a field-list is specified. When no field-list is specified, the fillnull command fits into the dataset processing type. See Command types.

Examples

Example 1:

For the current search results, fill all empty fields with NULL.

... | fillnull value=NULL

Example 2:

For the current search results, fill all empty field values of "foo" and "bar" with NULL.

... | fillnull value=NULL foo bar

Example 3:

For the current search results, fill all empty fields with zero.

... | fillnull

Example 4:

Build a time series chart of web events by host and fill all empty fields with NULL.

sourcetype="web" | timechart count by host | fillnull value=NULL

See also

filldown
streamstats

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the fillnull command.

Last modified on 07 August, 2019
PREVIOUS
filldown 		  NEXT
findtypes

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.10, 6.3.1, 6.6.9, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 7.0.1, 7.0.11, 7.0.13

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters