Solved: Re: I need to fill missing values in a search as N...

abhijitp · ‎04-04-2016

I need to fill missing values from search items as NULL (not the string, but actual NULL values)

I see options to check if the values is NULL (isnull) or even fill NULL values with a string (fillnull). But what I need is to write the value to be NULL.

I searched but could not get an answer.

Thanks for all the help in this matter.
Abhi

sideview · ‎04-04-2016

it's just null()

So you can do things like

| eval foo=if(sky="blue",foo,null())

that would conditionally erase the field "foo" from any rows that claim the sky is not blue.

Extra reading: A fair number of examples out there use "null" as though it was a reserved keyword in the eval command but it is not. those examples just happen to work because there is generally not a field called "null", and eval allows you to name any field at all. thus specifying null is the same as nonexistentField, and is generally null valued...

View solution in original post

kartik13 · ‎04-05-2016

Try this , it resolved my problem.

|fillnull value="#"

MuS · ‎04-04-2016

Hi abhijitp,

did you look at the eval function null() http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/CommonEvalFunctions ?

null()  
This function takes no arguments and returns NULL. 
The evaluation engine uses NULL to represent "no value"; setting a field to NULL clears its value.

Hope this helps ...

cheers, MuS

sideview · ‎04-04-2016

it's just null()

So you can do things like

| eval foo=if(sky="blue",foo,null())

that would conditionally erase the field "foo" from any rows that claim the sky is not blue.

Extra reading: A fair number of examples out there use "null" as though it was a reserved keyword in the eval command but it is not. those examples just happen to work because there is generally not a field called "null", and eval allows you to name any field at all. thus specifying null is the same as nonexistentField, and is generally null valued...

abhijitp · ‎04-05-2016

Thanks all the help. It worked as I wanted using this

| eval foo=if(sky="blue",foo,null())

MuS · ‎04-04-2016

Again too slow today 🙂

woodcock · ‎04-05-2016

I tied @sideview yesterday on an answer and we both had typos but OP selected him.

MuS · ‎04-08-2016

HeHe, I have no problem at all if an OP selects @sideview 's answer to be the right one over mine, because @sideview will be for sure more right/correct/precise then I am !

sideview · ‎04-05-2016

I've picked up that old habit of answering questions the moment I get the "expert" notification from Splunk, but I do have that haunting feeling as I type, that someone else might be answering simultaneously. omg type faster!

abhijitp · ‎04-05-2016

I really love the camaraderie 🙂

abhijitp · ‎04-04-2016

Thanks. Let me try this out.

I need to fill missing values in a search as NULL

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases