https://community.splunk.com/t5/Splunk-Search/eval-isnull/m-p/123146#M33232 <P>Where is the field "hostTICKET" present? Its not coming from lookup right? Is it there in the logs?</P> Tue, 08 Apr 2014 13:29:53 GMT somesoni2 2014-04-08T13:29:53Z https://community.splunk.com/t5/Splunk-Search/eval-isnull/m-p/123142#M33228 <P>Hi!</P> <P>Anyone know why i'm still getting NULL in my timechart?</P> <P><STRONG>The lookup "existing" has two columns "ticket|host_message". host_message column matches the eval expression host+CISCO_MESSAGE below... I **can</STRONG> get the host+message+ticket number to show up in the timechart with the following query - however if the results do not match host_message in the lookup, hostTICKET comes back null.** I want null to simply be host_message without the ticket because it does not exist on the lookup.</P> <PRE><CODE>index=net | rex "(?i)^([^:]*:){8}(?&lt;CISCO_LOG&gt;.*)$" | eval host_message=host+CISCO_LOG | lookup existing host_message | eval hostTICKET=if(isnull(hostTICKET),host_message+" "+TICKET,host_message) | timechart count by hostTICKET </CODE></PRE> Mon, 28 Sep 2020 16:20:06 GMT https://community.splunk.com/t5/Splunk-Search/eval-isnull/m-p/123142#M33228 subtrakt 2020-09-28T16:20:06Z https://community.splunk.com/t5/Splunk-Search/eval-isnull/m-p/123143#M33229 <P>You're using the wrong operator for performing string concatenations. It should be ".", not "+". So, your eval statement should read</P> <PRE><CODE>eval hostTicket=if(isnull(hostTICKET),host_message." ".TICKET,host_message </CODE></PRE> Tue, 08 Apr 2014 08:08:32 GMT https://community.splunk.com/t5/Splunk-Search/eval-isnull/m-p/123143#M33229 Ayn 2014-04-08T08:08:32Z https://community.splunk.com/t5/Splunk-Search/eval-isnull/m-p/123144#M33230 <P>It is still coming back as NULL for messages that are not defined in the lookup. the field after "isnull" in parentheses is supposed to be the field that could come back as null correct?</P> Tue, 08 Apr 2014 12:34:50 GMT https://community.splunk.com/t5/Splunk-Search/eval-isnull/m-p/123144#M33230 subtrakt 2014-04-08T12:34:50Z https://community.splunk.com/t5/Splunk-Search/eval-isnull/m-p/123145#M33231 <P>No. NULL is being filled in by the lookup statement, so when it gets to the eval the values is NULL, which is not null.</P> Tue, 08 Apr 2014 13:22:23 GMT https://community.splunk.com/t5/Splunk-Search/eval-isnull/m-p/123145#M33231 lukejadamec 2014-04-08T13:22:23Z https://community.splunk.com/t5/Splunk-Search/eval-isnull/m-p/123146#M33232 <P>Where is the field "hostTICKET" present? Its not coming from lookup right? Is it there in the logs?</P> Tue, 08 Apr 2014 13:29:53 GMT https://community.splunk.com/t5/Splunk-Search/eval-isnull/m-p/123146#M33232 somesoni2 2014-04-08T13:29:53Z https://community.splunk.com/t5/Splunk-Search/eval-isnull/m-p/540158#M152787 <P>The above eval statement does not correctly convert <STRONG>0</STRONG> to <STRONG>0.0.0.0</STRONG> and <STRONG>null values</STRONG>. Try this:<BR /><BR /><STRONG>Note:&nbsp;</STRONG>replace&nbsp;<STRONG>ip</STRONG> with the field name you would like to convert.</P><P>&nbsp;</P><LI-CODE lang="markup">| eval o1=floor(ip/16777216) | eval o2=floor((ip-o1*16777216)/65536) | eval o3=floor((ip-(o1*16777216+o2*65536))/256)| eval o4=ip-(o1*16777216+o2*65536+o3*256) | eval ipv4=tostring(o1)+"."+tostring(o2)+"."+tostring(o3)+"."+tostring(o4) | eval ipv4=if(ipv4="Null.Null.Null.Null","",ipv4)</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Tue, 16 Feb 2021 19:48:48 GMT https://community.splunk.com/t5/Splunk-Search/eval-isnull/m-p/540158#M152787 _brettfitz 2021-02-16T19:48:48Z