what is the difference between 'usenull' and 'fill...

aarthirajaraman · ‎02-27-2017

I want to know what is the difference between usenull and fillnull command in the splunk? can anyone help me with it to get a clear idea about it?

cmerriman · ‎02-28-2017

fillnull fills all the null values in the results of a specific field/fields/all fields with a value (defaulted as 0)
https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Fillnull

|fillnull FIELD value="N/A"

usenull is used in charting commands like timechart or chart for when you want a series created for events that don't have the split-by field.
http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Chart

|chart count by FIELD usenull=t nullstr="N/A"

youngsuh · ‎10-25-2020

"sourcetype=access_* status=200 action=purchase | chart dc(clientip) OVER date_hour BY categoryId usenull=f

This search takes the purchase events and pipes it into the chart command. The dc() or distinct_count() function is used to count the number of unique visitors (characterized by the clientip field). This number is then charted over each hour of the day and broken out based on the category_id of the purchase. Also, because these are numeric values, the search uses the usenull=f argument to exclude fields that don't have a value."

what is the difference between 'usenull' and 'fillnull' command in splunk?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life