In order to create a timestamp with a specific field, my search is like
search xxx| eval _raw=FIELD_TIME.", FIELD_A=\"".FIELD_A."\", FIELD_B=\"".FIELD_B."\"" | collect index=yyy
But if FIELD_A is an empty string and it will become a null value in index=yyy. Anyone know how to fix it? Thanks
Try something like this
search xxx| eval _raw=FIELD_TIME.", FIELD_A=\"".coalesce(FIELD_A,"")."\", FIELD_B=\"".FIELD_B."\"" | collect index=yyy
It does not work
Use the fillnull command to replace null values with something else. This command replaces all null values with a single space, but you can limit it to FIELD_A if you wish.
search xxx| fillnull value=' ' | eval _raw=FIELD_TIME.", FIELD_A=\"".FIELD_A."\", FIELD_B=\"".FIELD_B."\"" | collect index=yyy