Following search is working perfectly fine. If field1
is Null it gets substitute by RandomString1
search
| fillnull value="RandomString1" field1
| stats count by field1, field2, field3
Now, if my filed2
is Null, I want to substitute it by RandomString2
.
In short I want to update multiple fileds with different value in fillnull
See this run-anywhere example which works just fine. The never
field never exists and the name
field exists about half the time and the sourcetype
field exists all the time. There is no reason that multiple fillnull
calls should not work:
index=_internal
| fillnull value="RandomString1" name
| fillnull value="RandomString2" never
| stats count BY name, never, sourcetype
Niket's answer will work perfectly well, but over time I've migrated to using coalesce
, like so:
| eval field1=coalesce(field1,"randomValue1"), field2=coalesce(field2,"randomValue2")
It's a little more readable and can also handle multiple fields in the argument section as well. It's really just a matter of preference.
Try the following
<yourCurrentSearch>
| eval field1=if(isnull(field1),"randomValue1",field1), field2=if(isnull(field2),"randomValue2",field2)
If does not work as expected, please give your current search and also some sample events with and without field1 and field2 respectively.
This worked thanks!
@ataunk - We've moved the comment to be an answer. Please accept the answer so that the question will show as solved.
Thanks Dal 🙂
@ataunk if you need to replace null values as different values based on different fields, you would need to use separate pipes for fillnull.
<yourCurrentSearch>
| fillull value="RandomString1" field1
| fillull value="RandomString2" field2
...
I tried that, it did not help. I am not getting "RandomString2" in the result set. The particular row is getting elemninated.
But, "RandomString1" does shows up.