https://community.splunk.com/t5/Splunk-Search/using-map-and-if-isnull-but-missing-fields-in-base-is-causing/m-p/443528#M125822 <P>hi could someone please help me out here. been stuck with a problem. we have multiple existing queries in our environment. i am creating a sort of universal macro to work with the current queries.</P> <P>the problem is, there are some fields which exists in some of the base queries but doesnt exist in another. how do i do a map in that macro with and if/isnull even with the missing fields.</P> <P>Example</P> <P>base search1 below:</P> <PRE><CODE>| makeresults | eval field1="abc" | eval field2="def" </CODE></PRE> <P>base search2 below:</P> <PRE><CODE>| makeresults | eval field1="abc" | eval field2="def" | eval field3="opq" | eval field4="rst" </CODE></PRE> <P>macro below:</P> <PRE><CODE>| map [search index=test1... | eval field1=if(isnull("$field1$"),"","$field1$") | eval field2=if(isnull("$field2$"),"","$field2$") | eval field3=if(isnull("$field3$"),"","$field3$") | eval field4=if(isnull("$field4$"),"","$field4$")] </CODE></PRE> <P>so the thing is, map will fail for base search1 but working on base search2. is there a way to fix this? there multiple fields in the base query.</P> <P>thanks!</P> Sun, 03 Feb 2019 14:32:37 GMT milidna13 2019-02-03T14:32:37Z https://community.splunk.com/t5/Splunk-Search/using-map-and-if-isnull-but-missing-fields-in-base-is-causing/m-p/443528#M125822 <P>hi could someone please help me out here. been stuck with a problem. we have multiple existing queries in our environment. i am creating a sort of universal macro to work with the current queries.</P> <P>the problem is, there are some fields which exists in some of the base queries but doesnt exist in another. how do i do a map in that macro with and if/isnull even with the missing fields.</P> <P>Example</P> <P>base search1 below:</P> <PRE><CODE>| makeresults | eval field1="abc" | eval field2="def" </CODE></PRE> <P>base search2 below:</P> <PRE><CODE>| makeresults | eval field1="abc" | eval field2="def" | eval field3="opq" | eval field4="rst" </CODE></PRE> <P>macro below:</P> <PRE><CODE>| map [search index=test1... | eval field1=if(isnull("$field1$"),"","$field1$") | eval field2=if(isnull("$field2$"),"","$field2$") | eval field3=if(isnull("$field3$"),"","$field3$") | eval field4=if(isnull("$field4$"),"","$field4$")] </CODE></PRE> <P>so the thing is, map will fail for base search1 but working on base search2. is there a way to fix this? there multiple fields in the base query.</P> <P>thanks!</P> Sun, 03 Feb 2019 14:32:37 GMT https://community.splunk.com/t5/Splunk-Search/using-map-and-if-isnull-but-missing-fields-in-base-is-causing/m-p/443528#M125822 milidna13 2019-02-03T14:32:37Z https://community.splunk.com/t5/Splunk-Search/using-map-and-if-isnull-but-missing-fields-in-base-is-causing/m-p/443529#M125823 <P>Can you add a check for blank value as well, try this: | eval field1=if(isnull($field1$) OR field1 = "","",$field1$)</P> Mon, 04 Feb 2019 05:30:54 GMT https://community.splunk.com/t5/Splunk-Search/using-map-and-if-isnull-but-missing-fields-in-base-is-causing/m-p/443529#M125823 jvishwak 2019-02-04T05:30:54Z https://community.splunk.com/t5/Splunk-Search/using-map-and-if-isnull-but-missing-fields-in-base-is-causing/m-p/443530#M125824 <P>@milidna13 </P> <P>You need to place a test of fields before map command always. If you are creating a macro then try to do it like this:</P> <PRE><CODE> eval field1 = if(isnull(field1),"", field1) | eval field2 = if(isnull(field2),"", field2) | eval field3 = if(isnull(field3),"", field3) | eval field4 = if(isnull(field4),"", field4) | map [| eval field1=if(isnull("$field1$"),"","$field1$") | eval field2=if(isnull("$field2$"),"","$field2$") | eval field3=if(isnull("$field3$"),"","$field3$") | eval field4=if(isnull("$field4$"),"","$field4$") ] </CODE></PRE> Mon, 04 Feb 2019 08:22:06 GMT https://community.splunk.com/t5/Splunk-Search/using-map-and-if-isnull-but-missing-fields-in-base-is-causing/m-p/443530#M125824 vishaltaneja070 2019-02-04T08:22:06Z https://community.splunk.com/t5/Splunk-Search/using-map-and-if-isnull-but-missing-fields-in-base-is-causing/m-p/443531#M125825 <P>Yes, in the base search, end it with this command:</P> <PRE><CODE>... | fields field1 field2 field3 field4 AND ALSO ANY OTHER FIELDS THAT YOU NEED TO KEEP ALL LISTED OUT HERE </CODE></PRE> Mon, 04 Feb 2019 17:24:31 GMT https://community.splunk.com/t5/Splunk-Search/using-map-and-if-isnull-but-missing-fields-in-base-is-causing/m-p/443531#M125825 woodcock 2019-02-04T17:24:31Z