topic Re: If column is missing then eval in Splunk Search

If column is missing then eval

jiaqya — Mon, 08 Jun 2020 22:02:06 GMT

if a field is missing in output, what is the query to eval another field to create this missing field.

below query can do it,

|eval missing=anothercolumn.

but to run this query , i need to run it only when the "missing" column is missing.
what is the logic to use..

Re: If column is missing then eval

memarshall63 — Wed, 01 Apr 2020 12:07:03 GMT

You can use 'if' and 'isnull' to identify whether the field exists, and if not replace it with another field.

| makeresults 
| eval there = "NOTNULL" 
| eval NEWFIELD = if(isnull(notthere),"FIELD IS NULL", "FIELD IS AVAIL") 
| eval NEWFIELD2 = if(isnull(there),"FIELD IS NULL", "FIELD IS AVAIL")

| makeresults 
| eval there = "NOTNULL" 
| eval newfield = "NEW"
| eval NEWFIELD = if(isnull(notthere),"FIELD IS NULL", "FIELD IS AVAIL") 
| eval NEWFIELD2 = if(isnull(there),newfield, there)

Re: If column is missing then eval

jiaqya — Wed, 01 Apr 2020 12:56:42 GMT

This works good, thanks, can i ask for another help.

the eval missing=newcolumn.

the new column is the last column in the table which im evaling with missing.
how do i eval the last column to be missing..

Re: If column is missing then eval

jiaqya — Wed, 01 Apr 2020 13:04:59 GMT

simplifying this even further,.

if column "missing" is missing, then eval it with 12th column( this wont change )

to identify "missing" is actually missing, i am using your above code... of if and isnull

Re: If column is missing then eval

memarshall63 — Wed, 01 Apr 2020 13:20:49 GMT

That's a tougher question.

The only way I'd know how to do that is to leave the values in a string, split it, and then use mvindex to index the 12th value in the split.

| makeresults 
| eval message = "this,is,the,fourth,fifth,sixth,value" 
| eval new_mvfield = split(message,",") 
| eval FOURTH = mvindex(new_mvfield,3)
| eval FIFTH = mvindex(new_mvfield,4)
| eval LAST = mvindex(new_mvfield,-1)

Re: If column is missing then eval

jiaqya — Wed, 01 Apr 2020 13:53:54 GMT

thanks, luckily my column names are months, ie last 12 months, so my last column as of today is 'Apr 2020' followed by the 'Missing' column.

so i got the 'Apr 2020' using eval as below, but when i eval it with "missing" , it prints the actual value.
how to treat the value to be a column during eval on 2nd line...

|eval ThisMonth=strftime(relative_time(now(), "-0d"), "%b %Y")
| eval Missing = if(isnull(Missing),ThisMonth, Missing)
|fields - ThisMonth

output below :

Apr 2020 Missing
99.62 Apr 2020
99.37 Apr 2020
99.16 Apr 2020
99.42 Apr 2020

basically want the values of Apr 2020 to be under Missing, like below.

Apr 2020 Missing
99.62 99.62
99.37 99.37
99.16 99.16
99.42 99.42