Splunk® Enterprise

Search Reference

Splunk Enterprise version 8.2 is no longer supported as of September 30, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

fillnull

Description

Replaces null values with a specified value. Null values are field values that are missing in a particular result but present in another result. Use the fillnull command to replace null field values with a string. You can replace the null values in one or more fields. You can specify a string to fill the null field values or use the default, field value which is zero ( 0 ).

Syntax

The required syntax is in bold.

fillnull
[value=<string>]
[<field-list>]

Required arguments

None.

Optional arguments

field-list
Syntax: <field>...
Description: A space-delimited list of one or more fields. If you specify a field list, all of the fields in that list are filled in with the value you specify. If you specify a field that didn't previously exist, the field is created. If you do not specify a field list, the value is applied to all fields.
value
Syntax: value=<string>
Description: Specify a string value to replace null values. If you do not specify a value, the default value is applied to the <field-list>.
Default: 0

Usage

The fillnull command is a distributable streaming command when a field-list is specified. When no field-list is specified, fillnull is a dataset processing command. See Command types.

Examples

1. Fill all empty field values with the default value

Your search has produced the following search results:

_time ACCESSORIES ARCADE SHOOTER SIMULATION SPORTS STRATEGY TEE
2021-03-17 5 17 6 3 5 32
2021-03-16 63 39 30 22 127 56
2021-03-15 65 94 38 42 128 60

You can fill all of empty field values with a zero ( 0 ) by adding the fillnull command to the end of your search.

... | fillnull

The search results will look like this:

_time ACCESSORIES ARCADE SHOOTER SIMULATION SPORTS STRATEGY TEE
2021-03-17 5 17 6 3 5 32 0
2021-03-16 0 63 39 30 22 127 56
2021-03-15 65 94 38 42 0 128 60

2. Fill all empty fields with the string "NULL"

For the current search results, fill all empty field values with the string "NULL".

... | fillnull value=NULL

Using the search results from the previous example, adding value=NULL to the end of your search changes the results to this:

_time ACCESSORIES ARCADE SHOOTER SIMULATION SPORTS STRATEGY TEE
2021-03-17 5 17 6 3 5 32 NULL
2021-03-16 NULL 63 39 30 22 127 56
2021-03-15 65 94 38 42 NULL 128 60


3. Fill the specified fields with the string "unknown"

Your search has produced the following search results:

_time host average_kbps instanenous_kbps kbps
2021/02/14 12:00 danube.sample.com 1.865 3.420
2021/02/14 11:53 mekong.buttercupgames.com 0.710 0.164 1.256
2021/02/14 11:47 danube.sample.com 1.325 2.230
2021/02/14 11:42 yangtze.buttercupgames.com 2.249 0.000 2.249
2021/02/14 11:39 2.874 3.841 1.906
2021/02/14 11:33 nile.example.net 2.023 0.915

You can fill all empty field values in the "host" and "kbps" fields with the string "unknown" by adding the fillnull command to your search.

... | fillnull value=unknown host kbps


_time host average_kbps instanenous_kbps kbps
2021/02/14 12:00 danube.sample.com 1.865 3.420
2021/02/14 11:53 mekong.buttercupgames.com 0.710 0.164 1.256
2021/02/14 11:47 danube.sample.com 1.325 2.230
2021/02/14 11:42 yangtze.buttercupgames.com 2.249 0.000 2.249
2021/02/14 11:39 unknown 2.874 3.841 1.906
2021/02/14 11:33 nile.example.net 2.023 0.915 unknown


if you specify a field that does not exist, the field is created and the value you specify is added to the new field.

For example if you specify bytes in the field list, the bytes field is created and filled with the string "unknown".

... | fillnull value=unknown host kbps bytes


_time host average_kbps instanenous_kbps kbps bytes
2021/02/14 12:00 danube.sample.com 1.865 3.420 unknown
2021/02/14 11:53 mekong.buttercupgames.com 0.710 0.164 1.256 unknown
2021/02/14 11:47 danube.sample.com 1.325 2.230 unknown
2021/02/14 11:42 yangtze.buttercupgames.com 2.249 0.000 2.249 unknown
2021/02/14 11:39 unknown 2.874 3.841 1.906 unknown
2021/02/14 11:33 nile.example.net 2.023 0.915 unknown unknown

4. Use the fillnull command with the timechart command

Build a time series chart of web events by host and fill all empty fields with the string "NULL".

sourcetype="web" | timechart count by host | fillnull value=NULL

See also

filldown
streamstats

Last modified on 29 November, 2021
filldown   findtypes

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters