Solved: Re: eval if isnull hope fill other values

chengyu · ‎04-30-2014

Hi:

My weburl sometim is null, i hope if weburl is null then weburl1 fill to weburl. I'm try "eval n=if(isnull(hostname),weburl1)" but fail, how should i do? Thanks.

index=xx | fillnull value=SSL attack| eval bandwidth=rcvdbyte+sentbyte | eval bandwidth(MB) = round(bandwidth/1024/1024,2) | strcat " " date " " time " " as Date |strcat " " hostname url " " as weburl | strcat " " host_name url " " as weburl1 | eval n=if(isnull(hostname),weburl1)|stats sum(bandwidth(MB)) as bandwidth(MB) values(srcip) as srcip values(service) as service values(attack) as app last(Date) as LastDate first(Date) as FirstDate values(weburl) as weburl values(weburl1) as weburl1 values(policyid) as policyid values(n) as n by dstip | table srcip,dstip,app,service,LastDate,FirstDate,weburl,weburl1,bandwidth(MB),policyid,n |sort 10 bandwidth(MB) desc

martin_mueller · ‎04-30-2014

You can use coalesce() to use the first value from a list of fields that isn't null:

... | eval weburl = coalesce(weburl, weburl1, weburl2, weburl3, ...) | ...

View solution in original post

martin_mueller · ‎04-30-2014

You can use coalesce() to use the first value from a list of fields that isn't null:

... | eval weburl = coalesce(weburl, weburl1, weburl2, weburl3, ...) | ...

chengyu · ‎04-30-2014

Hi

last modify success, thank guts.
| eval n = coalesce(hostname, host_name) |strcat " " n url " " as weburl3 |...

MuS · ‎04-30-2014

Hi chengyu,

your eval is missing the third argument in the if statement. Try something like this:

eval n=if(isnull(hostname), weburl1, "ThereIsAhostname")

you can use as third argument another field's value or some boolean test like I did.

hope this helps ...

cheers, MuS

eval if isnull hope fill other values

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor