lukejadamec got it to work for me, but thanks for all of your help as well! Have a great day!

Can you post the actual fieldname, and the search you just tried?

This is the closest I've gotten to the results I need, because it created two columns labeled "Found Null" and "Found Data". But it grouped all the results under Found Data, and my previous queries have 70%+ of my results have null. I replaced FIELDNAME with the name of the field I'm wanting to change/count. What other part of this example do I have to change for this to work? I'm not familiar with searchmatch.

BINGO! That did it! Thanks for your help and teaching me a new trick in Splunk, too!

Sorry, yes the fieldname should be cs5, and you need to add quotes to the text in the case statement. No quotes around numbers or field names. I updated the answer.

OK, I realize that in your first example, I change fieldname to actual name of the field (in my case, cs5). Do I change the word "case" in your second example? I ask because I ran it "as-is" for the second example, and I still was unable to get results that group into the two types I need.

Try case instead. The 1=1 is a default true that should match all non-NULL values. The NULL values will not make it to the end of the statement, so they should be ok.

Sorry, I was probably being unclear.

The eval fieldname query you suggested didn't replace any found data with the word "fix".

The fieldname that I'm focusing on could capture any combination of letters or numbers - if there's data in the field, I need to replace it with the word "fix". I don't need to retain the data, I just need a count.

If there's no data, I need the word "null" in that field. Then I can get a count of those as well.

This seems like it should be an easy query, but then again, these really basic queries can sometimes be harder than I think.