nano SIEM
Search Commands

fillnull

fillnull

Replace null or empty field values with a specified value.

Description

The fillnull command replaces null, empty, or missing field values with a default value. This is useful for cleaning data, ensuring fields have values for calculations, or standardizing output.

Syntax

... | fillnull [value=<string>] [<field>, <field>, ...]

Optional Arguments

value
Syntax: value=<string>
Description: Value to use for null fields
Default: "NULL"

field
Syntax: <field>, <field>, ...
Description: Specific fields to fill. If omitted, fills all fields.

Examples

Fill all nulls with default

* | fillnull

Fill with custom value

* | fillnull value="unknown"

Fill specific fields

* | fillnull value="N/A" user, src_ip, dest_ip

Fill with zero

* | fillnull value=0 bytes, response_time

Before aggregation

* | fillnull value="anonymous" user
  | stats count() by user

Clean enrichment fields

* | fillnull value="unknown" enriched_src_country, enriched_dest_country

Fill before calculation

* | fillnull value=0 bytes_in, bytes_out
  | eval total = bytes_in + bytes_out

Standardize output

* | fillnull value="-" user, action, status
  | table timestamp, user, action, status

Usage Notes

All fields: Without field arguments, fills all null fields.

Type preservation: Value is always a string. Use eval for numeric defaults.

Performance: Minimal performance impact.

  • eval - Use coalesce() for conditional defaults
  • where - Filter null values

fields

Previous Page

format

Next Page

Edit this page on GitHub
On this page

On this page

fillnull
Description
Syntax
Optional Arguments
Examples
Fill all nulls with default
Fill with custom value
Fill specific fields
Fill with zero
Before aggregation
Clean enrichment fields
Fill before calculation
Standardize output
Usage Notes
Related Commands