fillnull
import { Aside } from ‘@astrojs/starlight/components’;
The fillnull command replaces null values in one or more fields with a specified value. This is essential for cleaning up data before aggregation, visualization, or export — null values can break charts and skew statistics.
Syntax
Section titled “Syntax”Three equivalent syntax forms are available:
fillnull with <value> [in <field-list>]fillnull using <field> = <value> [, <field> = <value>]...fillnull value=<value> [<field-list>]Arguments
Section titled “Arguments”Required
Section titled “Required”| Argument | Description |
|---|---|
<value> | The replacement value for null fields. |
Optional
Section titled “Optional”| Argument | Description |
|---|---|
<field-list> | Fields in which to replace nulls. Comma-delimited with with/using syntax, space-delimited with value= syntax. When omitted, all fields are processed. |
<field> = <value> | Per-field replacement values (only with using syntax). |
Usage notes
Section titled “Usage notes”- When applying the same value to all fields without specifying field names, all fields must be of the same type. For mixed types, use separate
fillnullcommands or specify fields explicitly. - The replacement value type must match the field type. You cannot fill a string field with a numeric value or vice versa.
- The
usingsyntax is the most flexible form because it lets you assign different default values to different fields in a single command. - Use
fillnullbeforestatsortimechartto ensure null values do not create unwantedNULLcategories in grouped results.
Examples
Section titled “Examples”Fill missing service names with a default
Section titled “Fill missing service names with a default”Replace null service name values with unknown:
source = logs-otel-v1*| fillnull with 'unknown' in `resource.attributes.service.name`| stats count() as log_count by `resource.attributes.service.name`Fill multiple fields with the same value
Section titled “Fill multiple fields with the same value”Replace nulls in both severityText and resource.attributes.service.name:
source = logs-otel-v1*| fillnull with 'N/A' in severityText, `resource.attributes.service.name`Per-field defaults with the using syntax
Section titled “Per-field defaults with the using syntax”Assign different default values to different fields:
source = logs-otel-v1*| fillnull using severityText = 'INFO', `resource.attributes.service.name` = 'unknown-service'Fill all fields using the value= syntax
Section titled “Fill all fields using the value= syntax”Replace nulls across all string fields with a placeholder:
source = logs-otel-v1*| fillnull value='<empty>'Clean data before visualization
Section titled “Clean data before visualization”Fill nulls before a timechart to prevent NULL categories from appearing in charts:
source = logs-otel-v1*| fillnull with 'unknown' in `resource.attributes.service.name`| timechart timefield=time span=5m count() by `resource.attributes.service.name`Extended examples
Section titled “Extended examples”Clean OTel log data for a service health dashboard
Section titled “Clean OTel log data for a service health dashboard”Fill multiple fields with appropriate defaults before aggregating for a dashboard panel:
source = logs-otel-v1*| fillnull using severityText = 'UNSET', `resource.attributes.service.name` = 'unknown'| stats count() as total, sum(case(severityText = 'ERROR' OR severityText = 'FATAL', 1 else 0)) as errors by `resource.attributes.service.name`| eval error_rate = round(errors * 100.0 / total, 2)| sort - error_rateFill missing trace context for log-trace correlation
Section titled “Fill missing trace context for log-trace correlation”When correlating logs with traces, fill missing trace IDs to identify uncorrelated logs:
source = logs-otel-v1*| fillnull using traceId = 'no-trace', spanId = 'no-span'| stats count() as log_count by traceId| where traceId = 'no-trace'