https://community.splunk.com/t5/Splunk-Search/Search-result-evaluates-to-true-when-it-is-false/m-p/710017#M239924 <P>Hi, use spath :&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.4.0/SearchReference/Spath" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.4.0/SearchReference/Spath</A></P><P>To see why it happens, add and eval with just<STRONG> | eval subject2=Item.Subject ... | table ..., subject2&nbsp;<BR />(subject2 be null)</STRONG></P><P>I have a splunk index in JSON that has the key SRV and key CONTENT_LENGTH.<BR />If i do</P><PRE>index=someindex <BR />| eval CONTENT_TYPE=if(isnull(SRV.CONTENT_TYPE),"true","false") <BR />| table SRV.CONTENT_TYPE, CONTENT_TYPE</PRE><P>I will get the same problem as you do.</P><P>But like below, i dont :</P><PRE>index=someindex <BR />| spath output=qwe "SRV.CONTENT_TYPE" <BR />| eval CONTENT_TYPE=if(isnull(qwe),"true","false") <BR />| table SRV.CONTENT_TYPE, CONTENT_TYPE</PRE><P>&nbsp;</P><P>&nbsp;</P> Tue, 28 Jan 2025 18:30:06 GMT alex_tc80 2025-01-28T18:30:06Z https://community.splunk.com/t5/Splunk-Search/Search-result-evaluates-to-true-when-it-is-false/m-p/710001#M239922 <P>Hello, trying to figure out why this eval statement testing for a null value always evaluates to "true", even when the field does contain data:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="shaunm001_1-1738084615547.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/34271i5ADA2C7FFBC6F1DA/image-size/medium?v=v2&amp;px=400" role="button" title="shaunm001_1-1738084615547.png" alt="shaunm001_1-1738084615547.png" /></span></P><P>Here is what the data looks like in the results:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="shaunm001_2-1738084765526.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/34272iA2B32B3308EFFE35/image-size/medium?v=v2&amp;px=400" role="button" title="shaunm001_2-1738084765526.png" alt="shaunm001_2-1738084765526.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Tue, 28 Jan 2025 17:20:07 GMT https://community.splunk.com/t5/Splunk-Search/Search-result-evaluates-to-true-when-it-is-false/m-p/710001#M239922 shaunm001 2025-01-28T17:20:07Z https://community.splunk.com/t5/Splunk-Search/Search-result-evaluates-to-true-when-it-is-false/m-p/710017#M239924 <P>Hi, use spath :&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.4.0/SearchReference/Spath" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.4.0/SearchReference/Spath</A></P><P>To see why it happens, add and eval with just<STRONG> | eval subject2=Item.Subject ... | table ..., subject2&nbsp;<BR />(subject2 be null)</STRONG></P><P>I have a splunk index in JSON that has the key SRV and key CONTENT_LENGTH.<BR />If i do</P><PRE>index=someindex <BR />| eval CONTENT_TYPE=if(isnull(SRV.CONTENT_TYPE),"true","false") <BR />| table SRV.CONTENT_TYPE, CONTENT_TYPE</PRE><P>I will get the same problem as you do.</P><P>But like below, i dont :</P><PRE>index=someindex <BR />| spath output=qwe "SRV.CONTENT_TYPE" <BR />| eval CONTENT_TYPE=if(isnull(qwe),"true","false") <BR />| table SRV.CONTENT_TYPE, CONTENT_TYPE</PRE><P>&nbsp;</P><P>&nbsp;</P> Tue, 28 Jan 2025 18:30:06 GMT https://community.splunk.com/t5/Splunk-Search/Search-result-evaluates-to-true-when-it-is-false/m-p/710017#M239924 alex_tc80 2025-01-28T18:30:06Z https://community.splunk.com/t5/Splunk-Search/Search-result-evaluates-to-true-when-it-is-false/m-p/710020#M239925 <P>Ahh..thanks, this was killing me. I was also having trouble with the eval statement checking an array value (kept erroring out), but seems like spath was the key there as well.&nbsp;</P><P>This ended up working for me:</P><LI-CODE lang="markup">index=someindex | spath output=sentSubject "Item.Subject" | spath output=receivedSubject "AffectedItems{}.Subject" | eval subject = if(isnull(sentSubject),receivedSubject,sentSubject) | table UserId,subject,Operation, _time</LI-CODE><P>&nbsp;</P> Tue, 28 Jan 2025 18:45:58 GMT https://community.splunk.com/t5/Splunk-Search/Search-result-evaluates-to-true-when-it-is-false/m-p/710020#M239925 shaunm001 2025-01-28T18:45:58Z https://community.splunk.com/t5/Splunk-Search/Search-result-evaluates-to-true-when-it-is-false/m-p/710114#M239938 <P>You are doing</P><PRE>isnull(Item.Subject)</PRE><P>Since you are not enclosing the Item.Subject part in quotes (in this case - you should use single quotes) Splunk treats Item and Subject as separate field names and tries to concatenate (the dot operator) their values. Since you have no fields called neither Item nor Subject in your data, the result of joining two null values is of course null as well.</P><P>You should do</P><PRE>isnull('Item.Subject')</PRE><P>to get a correct result.</P><P>Spath is not needed and since Splunk has already done automatic json extraction, it's a needless performance hit.</P> Wed, 29 Jan 2025 10:22:37 GMT https://community.splunk.com/t5/Splunk-Search/Search-result-evaluates-to-true-when-it-is-false/m-p/710114#M239938 PickleRick 2025-01-29T10:22:37Z https://community.splunk.com/t5/Splunk-Search/Search-result-evaluates-to-true-when-it-is-false/m-p/710156#M239939 <P>Great, this also works and is actually simpler than the spath solution, thanks!</P> Wed, 29 Jan 2025 16:11:40 GMT https://community.splunk.com/t5/Splunk-Search/Search-result-evaluates-to-true-when-it-is-false/m-p/710156#M239939 shaunm001 2025-01-29T16:11:40Z