Splunk Search

adding multiple fields and value for fillnull

ataunk
Explorer

Following search is working perfectly fine. If field1 is Null it gets substitute by RandomString1

search
| fillnull value="RandomString1" field1
| stats count by field1, field2, field3

Now, if my filed2 is Null, I want to substitute it by RandomString2.

In short I want to update multiple fileds with different value in fillnull

0 Karma

woodcock
Esteemed Legend

See this run-anywhere example which works just fine. The never field never exists and the name field exists about half the time and the sourcetype field exists all the time. There is no reason that multiple fillnull calls should not work:

index=_internal
| fillnull value="RandomString1" name
| fillnull value="RandomString2" never
| stats count BY name, never, sourcetype
0 Karma

Kenshiro70
Path Finder

Niket's answer will work perfectly well, but over time I've migrated to using coalesce, like so:

| eval field1=coalesce(field1,"randomValue1"), field2=coalesce(field2,"randomValue2")

It's a little more readable and can also handle multiple fields in the argument section as well. It's really just a matter of preference.

0 Karma

niketn
Legend

Try the following

<yourCurrentSearch>
| eval field1=if(isnull(field1),"randomValue1",field1), field2=if(isnull(field2),"randomValue2",field2)

If does not work as expected, please give your current search and also some sample events with and without field1 and field2 respectively.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

ataunk
Explorer

This worked thanks!

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@ataunk - We've moved the comment to be an answer. Please accept the answer so that the question will show as solved.

niketn
Legend

Thanks Dal 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn
Legend

@ataunk if you need to replace null values as different values based on different fields, you would need to use separate pipes for fillnull.

<yourCurrentSearch>
| fillull value="RandomString1" field1
| fillull value="RandomString2" field2
... 
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

ataunk
Explorer

I tried that, it did not help. I am not getting "RandomString2" in the result set. The particular row is getting elemninated.

But, "RandomString1" does shows up.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...