Hi,
I'm trying to reuse an old app for a new environment and, of course, data and fields similar but different, so adapting this part is where the big efforts come. It's 90% done already but, however, I'm stucked in this point. I've got semicolon-separated data, that makes it really simple to parse. The problem is that, fields with no data contain the string `"NULL"`. This doesn't fit at all my needs. What I need is to convert these `NULL` strings into null-valued fields, just the same if I do:
`...| eval myNullField = null()`
I now that I cannot get it using null() into a SEDCMD, but just to explain this better, this shouold be perfect:
`SEDCMD-NullStringtoNull = s/NULL/null()/g`
I don't know if null() returns and hex code that means null for Splunk... Using that code into a SEDCMD could do the trick.
Of course, an easy option could be rewriting that fields with SPL, but that implies modifying each query, and that is my very last option.
Thanks a lot!!
↧