fillnull command
Note
To see which AWS data source integrations support this PPL command, see Commands.
Description
Use the fillnull command to replace null values with a
specified value in one or more fields of your search results.
Syntax
Use the following syntax:
fillnull [with <null-replacement> in <nullable-field>["," <nullable-field>]] | [using <source-field> = <null-replacement> [","<source-field> = <null-replacement>]]
-
null-replacement: Mandatory. The value used to replace null values.
-
nullable-field: Mandatory. Field reference. The null values in this field will be replaced with the value specified in null-replacement.
Example 1: Fillnull one field
The example shows how to use fillnull on a single field:
os> source=logs | fields status_code | eval input=status_code | fillnull with 0 in status_code; | input | status_code | |-------|-------------| | 403 | 403 | | 403 | 403 | | NULL | 0 | | NULL | 0 | | 200 | 200 | | 404 | 404 | | 500 | 500 | | NULL | 0 | | 500 | 500 | | 404 | 404 | | 200 | 200 | | 500 | 500 | | NULL | 0 | | NULL | 0 | | 404 | 404 |
Example 2: Fillnull applied to multiple fields
The example shows fillnull applied to multiple fields.
os> source=logs | fields request_path, timestamp | eval input_request_path=request_path, input_timestamp = timestamp | fillnull with '???' in request_path, timestamp; | input_request_path | input_timestamp | request_path | timestamp | |------------------------------------------------------------------------------------| | /contact | NULL | /contact | ??? | | /home | NULL | /home | ??? | | /about | 2023-10-01 10:30:00 | /about | 2023-10-01 10:30:00 | | /home | 2023-10-01 10:15:00 | /home | 2023-10-01 10:15:00 | | NULL | 2023-10-01 10:20:00 | ??? | 2023-10-01 10:20:00 | | NULL | 2023-10-01 11:05:00 | ??? | 2023-10-01 11:05:00 | | /about | NULL | /about | ??? | | /home | 2023-10-01 10:00:00 | /home | 2023-10-01 10:00:00 | | /contact | NULL | /contact | ??? | | NULL | 2023-10-01 10:05:00 | ??? | 2023-10-01 10:05:00 | | NULL | 2023-10-01 10:50:00 | ??? | 2023-10-01 10:50:00 | | /services | NULL | /services | ??? | | /home | 2023-10-01 10:45:00 | /home | 2023-10-01 10:45:00 | | /services | 2023-10-01 11:00:00 | /services | 2023-10-01 11:00:00 | | NULL | 2023-10-01 10:35:00 | ??? | 2023-10-01 10:35:00 |
Example 3: Fillnull applied to multiple fields with various null replacement values.
The example show fillnull with various values used to replace nulls.
-
/errorinrequest_pathfield -
1970-01-01 00:00:00intimestampfield
os> source=logs | fields request_path, timestamp | eval input_request_path=request_path, input_timestamp = timestamp | fillnull using request_path = '/error', timestamp='1970-01-01 00:00:00'; | input_request_path | input_timestamp | request_path | timestamp | |------------------------------------------------------------------------------------| | /contact | NULL | /contact | 1970-01-01 00:00:00 | | /home | NULL | /home | 1970-01-01 00:00:00 | | /about | 2023-10-01 10:30:00 | /about | 2023-10-01 10:30:00 | | /home | 2023-10-01 10:15:00 | /home | 2023-10-01 10:15:00 | | NULL | 2023-10-01 10:20:00 | /error | 2023-10-01 10:20:00 | | NULL | 2023-10-01 11:05:00 | /error | 2023-10-01 11:05:00 | | /about | NULL | /about | 1970-01-01 00:00:00 | | /home | 2023-10-01 10:00:00 | /home | 2023-10-01 10:00:00 | | /contact | NULL | /contact | 1970-01-01 00:00:00 | | NULL | 2023-10-01 10:05:00 | /error | 2023-10-01 10:05:00 | | NULL | 2023-10-01 10:50:00 | /error | 2023-10-01 10:50:00 | | /services | NULL | /services | 1970-01-01 00:00:00 | | /home | 2023-10-01 10:45:00 | /home | 2023-10-01 10:45:00 | | /services | 2023-10-01 11:00:00 | /services | 2023-10-01 11:00:00 | | NULL | 2023-10-01 10:35:00 | /error | 2023-10-01 10:35:00 |
