Splunk Search

Why does Fillnull not work without specifying a field?

Path Finder

If I try to run this search, the value of my_null_field doesn't change to "?"

| makeresults 
| table _time my_null_field
| fillnull value="?"

The fillnull documentation says that if you don't specify a field it should apply to all fields. Strangely when I specify that field it works!

| makeresults 
| table _time my_null_field
| fillnull my_null_field value="?"

Even if I do

| eval my_null_field = null()

before the fillnull, it's still not adding the question mark.

Does anyone know if I'm missing something or if this is a bug?

Labels (1)


HI @606866581 ,

Yeah It's strange.

But when I go through documentation I found a sentence in description.

Null values are field values that are missing in a particular result but present in another result

Replaces null values with a specified value. **Null values are field values that are missing in a particular result but present in another result**. Use fillnull to replace null field values with a string. If you do not specify a field list, fillnull replaces all null values with 0 (the default) or a user-supplied string

I think it is considering those field who has value from whole result.

Please execute below search:

| makeresults 
| eval my_null_field = "Test" 
| table _time my_null_field 
| append 
    [| makeresults 
    | table _time my_null_field 
| fillnull value=NULL

Documentation Link : http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/fillnull

Happy Splunking

Path Finder

Hi @kamlesh_vaghela

the documentation states:

Replaces null values with a specified value. Null values are field values that are missing in a particular result but present in another result. Use fillnull to replace null field values with a string. If you do not specify a field list, fillnull replaces all null values with 0 (the default) or a user-supplied string.

The last sentence in bold is interesting.

But your example is also quite good, which leads me to believe that either the documentation is unclear on this, and should be updated, or, this is a bug.

0 Karma



You are right, i test in Splunk Entreprise 7.1 i have the same probleme,
You can use if function

| makeresults 
 | table _time my_null_field | eval my_null_field =if(isnull(my_null_field),"?","")
0 Karma

Path Finder

Seems that for some reason the behavior is different, based on what the original data type was. I got the same results for the queries that you tried. Same problem when starting with a lookup. But starting with indexed data worked, so something like
| table _time, field_that_definitely_doesnt_exist
| fillnull value="?"

produced the expected result with the field_that_definitely_doesnt_exist field filled with "?".

Edit: For me the above query, that starts from indexed data, works in 7.0.3, but not in 7.1.0. Weird.


I can reproduce on 7.0.3, so it seems like it's a bug in fillnull.

Will check 7.1 after I get the kids off to school. If it fails there, then I'd file a docs feedback on the fillnull page and let them confirm, and/or a support ticket and make them fix it.

Nice catch!

Get Updates on the Splunk Community!

Video | Welcome Back to Smartness, Pedro

Remember Splunk Community member, Pedro Borges? If you tuned into Episode 2 of our Smartness interview series, ...

Detector Best Practices: Static Thresholds

Introduction In observability monitoring, static thresholds are used to monitor fixed, known values within ...

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...