Get Started

Splunk rename and fillnull Commands: Data Cleanup and Preparation

Splunk SPL Commands
R
Rhombic LLC
Splunk Consulting & Cyber Security · 2 min read

The rename Command

The rename command changes field names in your search results. It’s essential for making dashboard panels readable, standardizing field names across different sourcetypes, and creating presentation-quality output.

Syntax

| rename <old_field> AS <new_field>

Examples

| rename Account_Name AS "User Account"
         src_ip AS "Source IP"
         dest_ip AS "Destination IP"
         count AS "Total Events"

Wildcard Renaming

| rename aws.* AS *

This strips the aws. prefix from all matching fields.

The fillnull Command

The fillnull command replaces null (missing) field values with a specified string. Null values can cause issues in dashboards, CSV exports, and downstream processing.

Syntax

| fillnull [value=<string>] [<field-list>]

Examples

| fillnull value="N/A"
| fillnull value="Unknown" src_ip dest_ip
| fillnull value=0 bytes_in bytes_out

Security Operations Examples

1. Clean Compliance Report Output

index=security sourcetype=WinEventLog:Security EventCode=4624
| stats count BY Account_Name ComputerName Logon_Type
| fillnull value="Unknown"
| rename Account_Name AS "User"
         ComputerName AS "Target System"
         Logon_Type AS "Authentication Method"
         count AS "Login Count"

2. Standardizing Field Names Across Sources

index=security (sourcetype=WinEventLog:Security OR sourcetype=linux:auth)
| eval normalized_user = coalesce(Account_Name, user, src_user)
| eval normalized_host = coalesce(ComputerName, host, dest)
| fillnull value="Unresolved" normalized_user normalized_host
| rename normalized_user AS "User" normalized_host AS "Host"

3. Dashboard-Ready Vulnerability Summary

index=vulnerability sourcetype=qualys
| stats count BY dest_ip severity cvss_score
| fillnull value="Unscored" cvss_score
| rename dest_ip AS "Asset IP"
         severity AS "Severity Level"
         cvss_score AS "CVSS Score"
         count AS "Finding Count"

Best Practices

  • Rename at the end of your search pipeline — Renamed fields can break subsequent commands that reference the original name.
  • Use fillnull before table or outputlookup — Ensures clean output in exports and lookups.
  • Use coalesce() with eval before fillnull — First try to merge equivalent fields, then fill any remaining gaps.
  • Quote multi-word field namesrename src_ip AS "Source IP Address".

Next in the series: The append and appendpipe commands — combining and layering result sets.

Next in the Rhombic SPL Series → Splunk append and appendpipe Commands

Tagged , , , , ,