https://community.splunk.com/t5/Splunk-Search/eval-isnull-always-returns-true/m-p/101124#M182816 <P>That's perfect thanks.</P> Wed, 28 Mar 2012 08:55:51 GMT dmrhodes101 2012-03-28T08:55:51Z https://community.splunk.com/t5/Splunk-Search/eval-isnull-always-returns-true/m-p/101122#M182814 <P>We're using Splunk to monitor EDI traffic onto our backend system. We want to have a single value panel that shows green when an order has been received, yellow, when there's been no order and it's prior to 16:00 and red when there's been no order and it's 16:00+</P> <P>Here's the command I used, but the isnull always returns 0 even when EDI-count is greater than 0. </P> <PRE><CODE>source="C:\\Monitor\\Vista\\EDI\\EDISPLUNK.csv" NOT _raw="Date,Time,Type,Account,Name,Order Qty,EAN,SAN,Order Ref,Order Date,From1,From2" host="Vista-EDI2" AND Name="Companyname*" | stats count as EDI-count | eval Time=now() | convert timeformat=%H:%M ctime(Time) | eval Got=if(isnull(EDI-count),0,1) | eval Test=case(Got=0 and Time&gt;="16:00",0,Got=0 and Time&lt;"16:00",2,Got=1,4) | rangemap field=Test low=4-5 elevated=2-3 default=severe </CODE></PRE> Mon, 26 Mar 2012 14:50:31 GMT https://community.splunk.com/t5/Splunk-Search/eval-isnull-always-returns-true/m-p/101122#M182814 dmrhodes101 2012-03-26T14:50:31Z https://community.splunk.com/t5/Splunk-Search/eval-isnull-always-returns-true/m-p/101123#M182815 <P>I think that stats will give you a 0 for the count if there are no matching events, not null. Zero isn't null.</P> <P>It also appears that Splunk may be interpreting the field name "EDI-count" as a subtraction of two undefined fields EDI and count. I had to remove the - (or change it to an underscore) to make it work in my testing.</P> <P>The EDI_count field is effectively acting as a boolean already, but if you want to normalize it to (0|1), your eval call would look like:<BR /> <CODE>eval Got=if(EDI_count,1,0)</CODE>, or <CODE>eval Got=if(EDI_count==0,0,1)</CODE> if you're the explicit type.</P> <P>Note also that you can save a step with your Time field and do <CODE>eval Time=strftime(now(), "%H:%M")</CODE>.</P> Tue, 27 Mar 2012 21:57:14 GMT https://community.splunk.com/t5/Splunk-Search/eval-isnull-always-returns-true/m-p/101123#M182815 sowings 2012-03-27T21:57:14Z https://community.splunk.com/t5/Splunk-Search/eval-isnull-always-returns-true/m-p/101124#M182816 <P>That's perfect thanks.</P> Wed, 28 Mar 2012 08:55:51 GMT https://community.splunk.com/t5/Splunk-Search/eval-isnull-always-returns-true/m-p/101124#M182816 dmrhodes101 2012-03-28T08:55:51Z https://community.splunk.com/t5/Splunk-Search/eval-isnull-always-returns-true/m-p/704915#M238760 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/119048">@dmrhodes101</a>&nbsp;, it looks like you are trying to process EDI, we do have a solution accelerator for processing EDIs, love to share some of the content we have.&nbsp; Let me know if you're interested.</P> Thu, 21 Nov 2024 08:14:56 GMT https://community.splunk.com/t5/Splunk-Search/eval-isnull-always-returns-true/m-p/704915#M238760 youngc_splunk 2024-11-21T08:14:56Z