Behaviour with the fillnull & replace commands

akarivaratharaj · ‎09-26-2019

host=* sourcetype=* 

|replace *.zip WITH * IN Object |
replace *.csv WITH * IN Object |
replace *.null WITH * IN Object |
replace *.xls WITH * IN Object |
replace *.pdf WITH * IN Object 

|fillnull value=0, Bytes_W 

|stats sum(Bytes_W)

In the above code, I am using replace command to replace the field values of Object with * wherever it has values with some extension like .csv, .null, etc., Also I am using the fillnull command to fill the value as ‘0’ wherever the field Bytes_W is not available.

The query with replace command as first and followed by fillnull is providing the Bytes_W result as 0 (though there are data for the field Bytes_W). Whereas the same query, if I change the position of the commands as fillnull first and followed by replace command, providing the correct results.

Note:- This issue is happening only during a particular time period.

Not sure what is causing the problem over here. Could anyone please help me in this case.

kamlesh_vaghela · ‎09-26-2019

@akarivaratharaj

|fillnull value=0, Bytes_W will only work if there a single value available in Bytes_W field across the results.

Null values are field values that are missing in a particular result but present in another result.

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/fillnull

Can you please try below search?

 host=* sourcetype=* 

 |replace *.zip WITH * IN Object |
 replace *.csv WITH * IN Object |
 replace *.null WITH * IN Object |
 replace *.xls WITH * IN Object |
 replace *.pdf WITH * IN Object 

| eval Bytes_W=if(isnull(Bytes_W),0,Bytes_W )

 |stats sum(Bytes_W)

Behaviour with the fillnull & replace commands

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor