The `fillnull` command is not the right way to do it and it will not work for all versions. Here is an approach that will work for all versions of Splunk. Essentially, you create a fake/placeholder event before calling `map`, ignore it inside and then throw it away at the end. So it looks like this. Let's say that you are working on a field called `sid` and have other fields going into the map. You would instrument this solution like this:
... | rename COMMENT1of3 AS "Without the placeholder event, when there are no matching events,"
| rename COMMENT2of3 AS "the 'map' call will generate a 'field not defined' error."
| rename COMMENT3of3 AS "This placeholder event is dropped during/after the 'map' call."
| appendpipe [
| stats count AS placeholder
| where placeholder == 0
| eval sid = "PLACEHOLDER"
]
| map maxsearches=9999 search="
... | $sid$ ... | blah
"
| search NOT sid = "PLACEHOLDER" ...
Latest Images
Trending Articles
More Pages to Explore .....