fillnull - Splunk Documentation (2024)

Description

Replaces null values with a specified value. Null values are field values that are missing in a particular result but present in another result. Use the fillnull command to replace null field values with a string. You can replace the null values in one or more fields. You can specify a string to fill the null field values or use the default, field value which is zero ( 0 ).

Syntax

The required syntax is in bold.

fillnull

[value=<string>]

[<field-list>]

Required arguments

None.

Optional arguments

field-list: Syntax: <field>...; Description: A space-delimited list of one or more fields. If you specify a field list, all of the fields in that list are filled in with the value you specify. If you specify a field that didn't previously exist, the field is created. If you do not specify a field list, the value is applied to all fields.

value: Syntax: value=<string>; Description: Specify a string value to replace null values. If you do not specify a value, the default value is applied to the <field-list>.; Default: 0

Usage

The fillnull command is a distributable streaming command when a field-list is specified. When no field-list is specified, the fillnull command fits into the dataset processing type. See Command types.

Fields in the event set should have at least one non-null value

Due to the unique behavior of the fillnull command, Splunk software isn't able to distinguish between a null field value and a null field that doesn't exist in the Splunk schema. In order for a field to exist in the schema, it must have at least one non-null value in the event set. To ensure downstream processing of fields by the fillnull command, ensure that there is at least one non-null value for the fields in the event set.

For example, consider the following search:

_time	test
2023-06-07 17:49:45	123123

test	test2
123123

_time	test1	test2
2023-06-07 18:22:24	123	NULL
2023-06-07 18:22:24	456	abc

Examples

1. Fill all empty field values with the default value

Your search has produced the following search results:

_time	ACCESSORIES	ARCADE	SHOOTER	SIMULATION	SPORTS	STRATEGY	TEE
2021-03-17	5	17	6	3	5	32
2021-03-16		63	39	30	22	127	56
2021-03-15	65	94	38	42		128	60

You can fill all of empty field values with the zero by adding the fillnull command to your search.

... | fillnull

The search results will look like this:

_time	ACCESSORIES	ARCADE	SHOOTER	SIMULATION	SPORTS	STRATEGY	TEE
2021-03-17	5	17	6	3	5	32	0
2021-03-16	0	63	39	30	22	127	56
2021-03-15	65	94	38	42	0	128	60

2. Fill all empty fields with the string "NULL"

For the current search results, fill all empty field values with the string "NULL".

... | fillnull value=NULL

3. Fill the specified fields with the string "unknown"

Suppose that your search has produced the following search results:

_time	host	average_kbps	instanenous_kbps	kbps
2021/02/14 12:00	danube.sample.com		1.865	3.420
2021/02/14 11:53	mekong.buttercupgames.com	0.710	0.164	1.256
2021/02/14 11:47	danube.sample.com	1.325		2.230
2021/02/14 11:42	yangtze.buttercupgames.com	2.249	0.000	2.249
2021/02/14 11:39		2.874	3.841	1.906
2021/02/14 11:33	nile.example.net	2.023	0.915

You can fill all empty field values in the "host" and "kbps" fields with the string "unknown" by adding the fillnull command to your search.

... | fillnull value=unknown host kbps

The results look like this:

_time	host	average_kbps	instanenous_kbps	kbps
2021/02/14 12:00	danube.sample.com		1.865	3.420
2021/02/14 11:53	mekong.buttercupgames.com	0.710	0.164	1.256
2021/02/14 11:47	danube.sample.com	1.325		2.230
2021/02/14 11:42	yangtze.buttercupgames.com	2.249	0.000	2.249
2021/02/14 11:39	unknown	2.874	3.841	1.906
2021/02/14 11:33	nile.example.net	2.023	0.915	unknown

If you specify a field that does not exist the field is created and the value you specify is added to the new field. For example if you specify bytes in the field list, the bytes field is created and filled with the string "unknown".

... | fillnull value=unknown host kbps bytes

The results look like this:

_time	host	average_kbps	instanenous_kbps	kbps	bytes
2021/02/14 12:00	danube.sample.com		1.865	3.420	unknown
2021/02/14 11:53	mekong.buttercupgames.com	0.710	0.164	1.256	unknown
2021/02/14 11:47	danube.sample.com	1.325		2.230	unknown
2021/02/14 11:42	yangtze.buttercupgames.com	2.249	0.000	2.249	unknown
2021/02/14 11:39	unknown	2.874	3.841	1.906	unknown
2021/02/14 11:33	nile.example.net	2.023	0.915	unknown	unknown

4. Use the fillnull command with the timechart command

Build a time series chart of web events by host and fill all empty fields with the string "NULL".

sourcetype="web" | timechart count by host | fillnull value=NULL

FAQs

What does fillnull do in Splunk? ›

The fillnull command replaces null values in all fields with a zero by default.

Know More ›

What is usenull in Splunk? ›

From the docs (https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/ListOfDataTypes): usenull controls whether or not a series is created for events that do not contain the split-by field. This series is labeled by the value of the nullstr option, and defaults to NULL.

Which command is used to remove empty null field values from the Splunk search results? ›

"the search uses the usenull=f argument to exclude fields that don't have a value. "

What does coalesce do in Splunk? ›

The Splunk Search Processing Language (SPL) coalesce function takes one or more values and returns the first value that is not null.

How to improve Splunk performance? ›

Target your search to a narrow dataset

Limit the timeframe of your search to 15 minutes or less. Reduce the amount of data the Splunk platform needs to search through by specifying specific index names in your searches. Typically, you want to store like data that is commonly searched together in the same index.

See Details ›

What are the three default roles in Splunk? ›

The predefined roles are: admin : This role has the most capabilities. power : This role can edit all shared objects and alerts, tag events, and other similar tasks. user : This role can create and edit its own saved searches, run searches, edit preferences, create and edit event types, and other similar tasks.

Learn More Now ›

How do I check if a field is not null in Splunk? ›

To determine if a field is or isn't null, use the isnull() or isnotnull() function.

How to reindex data in Splunk? ›

To reindex your data, perform the following tasks in Splunk SOAR:

From the main menu, select Administration.
Select Administration Settings.
Select Search Settings.
In the Reindex Search Data section, select an information section from the Section to Reindex drop-down list.
Select Reindex.

Mar 5, 2024

Show Me More ›

How to count null values in Splunk? ›

In your search use the fillnull command and assign a value to that field when it is null, then count that value for the field. Is there a way to rename the NULL to display something else? In your search use the fillnull command and assign a value to that field when it is null, then count that value for the field.

How do I remove null data? ›

2. How to treat null values:

You can drop the missing values with the code df. drop() . This will drop all the rows which contain the missing value.
You can fill the missing values with the code df. fillna(0) . You should specify what you want to fill in place of missing values. In the code, I have filled with zero.

Get More Info Here ›

How do I remove empty events in Splunk? ›

In order to remove events from the search result when field is empty you could just add field=* to your search. field=* means "field is anything but empty".

Read On ›

How to filter null values in Splunk? ›

use |where isnull(Device) to get all events where Device is null and |where isnotnull(Device) or |search Device=* / index=A Device=* to get all events where Device is not null.

Find Out More ›

What is rex in Splunk? ›

The rex command matches the value of the specified field against the unanchored regular expression and extracts the named groups into fields of the corresponding names. When mode=sed , the given sed expression used to replace or substitute characters is applied to the value of the chosen field.

Read The Full Story ›

What is the Ceil function in Splunk? ›

ceil(value)

Mathematical evaluation function that rounds a number up to the next highest integer. Returns the result as a double. Use this scalar function with the eval or the filter streaming functions. Numbers can be type int, long, float, or double.

Know More ›

What is spath in Splunk? ›

What is the Splunk spath Command? The spath command extracts fields and their values from either XML or JSON data. You can specify location paths or allow spath to run in its native form.

Discover More ›

How to monitor user activity in Splunk? ›

You can audit user activity in Splunk UBA by reviewing the audit logs in Splunk UBA or by sending audit logs to the Splunk platform for analysis.

Know More ›

What is the use of addon in Splunk? ›

add-on. A type of app that runs on the Splunk platform and provides specific capabilities to other apps, such as getting data in, mapping data, or providing saved searches and macros. An add-on is not typically run as a standalone app.

Find Out More ›

What is an appendpipe in Splunk? ›

Unlike other commands that use a subsearch, the appendpipe command does not run a new query. Instead, it applies the commands in the subpipeline to the existing result set and creates new "rows" with the output.

Discover More Details ›

fillnull - Splunk Documentation (2024)

Description

Syntax

Required arguments

Optional arguments

Usage

Fields in the event set should have at least one non-null value

Examples

1. Fill all empty field values with the default value

2. Fill all empty fields with the string "NULL"

3. Fill the specified fields with the string "unknown"

4. Use the fillnull command with the timechart command

See also

FAQs

What does fillnull do in Splunk? ›

How do I remove empty events in Splunk? ›