Splunk Core Certified Power User — Question 169

Why would the following search return no results?

index=web sourcetype=http:log | fillnull user | where isnull(user)

Answer options

• A. The user field is never null after the fillnull command.
• B. The user does not have permissions to filter on the user field.
• C. There are no event types that match the search string.
• D. The user field is always null after the fillnull command.

Correct answer: A

Explanation

The correct answer is A because the fillnull command is designed to replace null values in specified fields, thus ensuring that the user field cannot be null afterward. Option B is incorrect because permissions issues would not inherently lead to no results from the search. Option C is irrelevant as it discusses event types rather than field values. Option D contradicts the function of the fillnull command.