Re: Join - how do I fillnull on a join?

the_wolverine · ‎09-21-2012

Join is much more efficient. Is it possible to fillnull on a join so that I can collect the results for events for which there isn't an event to join?

sourcetype=1 | join host [ search sourcetype=2 | fields host,result ] | table host,result

sbsbb · ‎06-29-2013

you can also set the join type to left for example :

sourcetype=1 | join type=left host [ search sourcetype=2 | fields host,result ] | table host,result

http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Join

then you will see every restults from sourcetype, and where there is no events from sourcetype2, the field will only be empty. If you want in place of empty, a 0, then you can add a fillnull...

sourcetype=1 | join type=left host [ search sourcetype=2 | fields host,result ] | fillnull value=0 | table host,result

http://docs.splunk.com/Special:SplunkSearch/docs?q=fillnull

jfcshunter · ‎07-21-2021

Good answer thanks, link updated for newest version (July 2021):

https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Join

dwaddle · ‎09-21-2012

If this is related to your transaction question (http://splunk-base.splunk.com/answers/59493/mostmore-efficient-way-of-counting-incomplete-transactio...) , you may be disappointed here. I think join will run into subsearch limits and not give you the results you desire when there are enough rows to be joined.

Join - how do I fillnull on a join?

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!