Related Answers
Download topic as PDF
fillnull
Description
Replaces null values with a specified value. Null values are field values that are missing in a particular result but present in another result. Use fillnull to replace null field values with a string. If you do not specify a field list, fillnull replaces all null values with 0 (the default) or a user-supplied string.
Syntax
fillnull [value=string] [<field-list>]
Optional arguments
- field-list
- Syntax: <field>...
- Description: One or more fields, delimited with a space. If not specified, fillnull is applied to all fields.
- value
- Datatype: value=<string>
- Description: Specify a string value to replace null values.
- Default: 0
Usage
The fillnull command is a distributable streaming command when a field-list is specified. When no field-list is specified, the fillnull command fits into the dataset processing type.
See Command types.
Examples
Example 1:
For the current search results, fill all empty fields with NULL.
... | fillnull value=NULL
Example 2:
For the current search results, fill all empty field values of "foo" and "bar" with NULL.
... | fillnull value=NULL foo bar
Example 3:
For the current search results, fill all empty fields with zero.
... | fillnull
Example 4:
Build a time series chart of web events by host and fill all empty fields with NULL.
sourcetype="web" | timechart count by host | fillnull value=NULL
See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the fillnull command.
|
PREVIOUS filldown |
NEXT findtypes |
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.10, 6.4.11, 6.5.0, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 8.0.0, 8.0.1, 6.4.9, 6.5.1, 6.5.10, 6.5.1612 (Splunk Cloud only)
Comments
For performance of the search is it faster to specify fillnull without any fields or fillnull with a field list or a fillnull for each field?
| fillnull value=NULL
| fillnull value=NULL field1 field2 field3
| fillnull value=NULL field1 | fillnull value=NULL field2 | fillnull value=NULL field3
SloshBurch – The fillnull command with no arguments is supposed to consider every field that exists in the input and makes sure that all of those fields exist in every event.
Crobicha – The fillnull command should not prevent drilldown. It might result in a less efficient drilldown search as Splunk can’t push field=value comparisons before the fillnull command into the search clause, because the fillnull command modifies field values. If the search is for a dashboard, you can customize the drill down behavior in the dashboard.
Note: I am not sure if this is by design/bug/oversight, but if you append and then use "fillnull", it will not work for all fields; only those fields that exist for each search set will get filled. This is kind of a bummer.
In a similar situation on our end with Example 3, fillnull does not fill the value without explicitly listing every field. Would you please clarify the default behavior?
It seems that using the fillnull command prevents you from being able to drilldown, is there any way around this?
Rsimons99
Definitely using the fillnull command with an explicit list is much better. Without a list, the command has to retrieve all of the events first to know what all of the fields are. Especially for large number of events, having no list is hugely expensive.