https://community.splunk.com/t5/Splunk-Search/IF-value-then-string/m-p/373500#M162953 <P>are you trying like this:</P> <PRE><CODE>|Eval name=if(ID=“XYZ”,”Unknown”, name)| fillnull value=Unknown </CODE></PRE> Mon, 12 Feb 2018 15:13:56 GMT 493669 2018-02-12T15:13:56Z https://community.splunk.com/t5/Splunk-Search/IF-value-then-string/m-p/373498#M162951 <P>I am trying to set the Name to Unknown if the ID is XYZ else populate it with the name value.</P> <P>I have </P> <PRE><CODE>Eval name=if(ID=“XYZ”,”Unknown”, name) </CODE></PRE> <P>I am getting the name as Null even when I have a fillnull function to change Nulls to Unknown.</P> <P>Any ideas?</P> <P>TIA!</P> Mon, 12 Feb 2018 15:04:10 GMT https://community.splunk.com/t5/Splunk-Search/IF-value-then-string/m-p/373498#M162951 dlcrooks 2018-02-12T15:04:10Z https://community.splunk.com/t5/Splunk-Search/IF-value-then-string/m-p/373499#M162952 <P>I'm not sure to understand your question, when do you have null ?</P> Mon, 12 Feb 2018 15:08:36 GMT https://community.splunk.com/t5/Splunk-Search/IF-value-then-string/m-p/373499#M162952 isabel_ycourbe 2018-02-12T15:08:36Z https://community.splunk.com/t5/Splunk-Search/IF-value-then-string/m-p/373500#M162953 <P>are you trying like this:</P> <PRE><CODE>|Eval name=if(ID=“XYZ”,”Unknown”, name)| fillnull value=Unknown </CODE></PRE> Mon, 12 Feb 2018 15:13:56 GMT https://community.splunk.com/t5/Splunk-Search/IF-value-then-string/m-p/373500#M162953 493669 2018-02-12T15:13:56Z https://community.splunk.com/t5/Splunk-Search/IF-value-then-string/m-p/373501#M162954 <P>If I understand you question correctly, you have cases where ID="XYZ" but you name is null. In that case you need to use <CODE>| fillnull value="" name</CODE> before your eval to make sure your names are at least blank (otherwise by default it will be unset hence <CODE>null</CODE>). </P> Mon, 12 Feb 2018 15:25:15 GMT https://community.splunk.com/t5/Splunk-Search/IF-value-then-string/m-p/373501#M162954 isabel_ycourbe 2018-02-12T15:25:15Z https://community.splunk.com/t5/Splunk-Search/IF-value-then-string/m-p/373502#M162955 <P>is this a direct copy of the search string you're using? Try using 'straight' quotes, rather than 'curly' ones:</P> <PRE><CODE>Eval name2=if(ID="XYZ","Unknown", name) </CODE></PRE> Mon, 12 Feb 2018 15:53:32 GMT https://community.splunk.com/t5/Splunk-Search/IF-value-then-string/m-p/373502#M162955 philipmattocks 2018-02-12T15:53:32Z https://community.splunk.com/t5/Splunk-Search/IF-value-then-string/m-p/373503#M162956 <P>Yes, and still no luck</P> Mon, 12 Feb 2018 15:58:46 GMT https://community.splunk.com/t5/Splunk-Search/IF-value-then-string/m-p/373503#M162956 dlcrooks 2018-02-12T15:58:46Z https://community.splunk.com/t5/Splunk-Search/IF-value-then-string/m-p/373504#M162957 <P>You need to do the opposite, first fill nulls, then do your eval.</P> Mon, 12 Feb 2018 16:01:49 GMT https://community.splunk.com/t5/Splunk-Search/IF-value-then-string/m-p/373504#M162957 isabel_ycourbe 2018-02-12T16:01:49Z https://community.splunk.com/t5/Splunk-Search/IF-value-then-string/m-p/373505#M162958 <P>I put the if statement at the end and it works.</P> Mon, 12 Feb 2018 16:10:33 GMT https://community.splunk.com/t5/Splunk-Search/IF-value-then-string/m-p/373505#M162958 dlcrooks 2018-02-12T16:10:33Z https://community.splunk.com/t5/Splunk-Search/IF-value-then-string/m-p/373506#M162959 <P>Why doesn’t the IF statement work? I should not have to use the Fillnull!</P> Mon, 12 Feb 2018 16:15:11 GMT https://community.splunk.com/t5/Splunk-Search/IF-value-then-string/m-p/373506#M162959 dlcrooks 2018-02-12T16:15:11Z https://community.splunk.com/t5/Splunk-Search/IF-value-then-string/m-p/373507#M162960 <P>It actually works as expected, don't forget that splunk will run your pipes one by one, searches is not compiled.</P> <P>If we take this search<BR /> (1) <BR /> (2) | eval name=if(id="xyz", "unknown", name)</P> <P>At (1) your field <CODE>name</CODE> will only exists where there is a value, for all rows, it will not be blank, it will not exist and hence be null so at step (2) you will assign null to you field name</P> <P>If you add a fill null between</P> <P>(1) <BR /> (2) | fillnull value="" name<BR /> (3) | eval name=if(id="xyz", "unknown", name)</P> <P>now at step (2) you field name exist and is set to blank (or whatever value you set).</P> Mon, 12 Feb 2018 16:21:50 GMT https://community.splunk.com/t5/Splunk-Search/IF-value-then-string/m-p/373507#M162960 isabel_ycourbe 2018-02-12T16:21:50Z https://community.splunk.com/t5/Splunk-Search/IF-value-then-string/m-p/373508#M162961 <P>No, I using the correct quotes</P> Mon, 12 Feb 2018 17:35:48 GMT https://community.splunk.com/t5/Splunk-Search/IF-value-then-string/m-p/373508#M162961 dlcrooks 2018-02-12T17:35:48Z https://community.splunk.com/t5/Splunk-Search/IF-value-then-string/m-p/373509#M162962 <P>if you could share sample inputs to understand better</P> Mon, 12 Feb 2018 17:39:35 GMT https://community.splunk.com/t5/Splunk-Search/IF-value-then-string/m-p/373509#M162962 493669 2018-02-12T17:39:35Z https://community.splunk.com/t5/Splunk-Search/IF-value-then-string/m-p/373510#M162963 <P>No joy. The name field is still blank as IF statement is not working.</P> Mon, 12 Feb 2018 17:42:59 GMT https://community.splunk.com/t5/Splunk-Search/IF-value-then-string/m-p/373510#M162963 dlcrooks 2018-02-12T17:42:59Z https://community.splunk.com/t5/Splunk-Search/IF-value-then-string/m-p/373511#M162964 <P>Can you provide a small dataset ?</P> Tue, 13 Feb 2018 08:10:53 GMT https://community.splunk.com/t5/Splunk-Search/IF-value-then-string/m-p/373511#M162964 isabel_ycourbe 2018-02-13T08:10:53Z