Solved: Re: fill an occasional Null field with the current...

jacqu3sy · ‎04-20-2017

I have a search outputting results which includes a field for 'closedtime'. On occasion however this field will be blank. When this occurs, how do I fill this field with the current time?

Appreciate any help!

dineshraj9 · ‎04-20-2017

Try this -

| eval closedtime=if(isnull(closedtime) OR len(closedtime)==0,strftime(now(),"%F %T %Z"),closedtime)

View solution in original post

dineshraj9 · ‎04-20-2017

Try this -

| eval closedtime=if(isnull(closedtime) OR len(closedtime)==0,strftime(now(),"%F %T %Z"),closedtime)

jacqu3sy · ‎04-20-2017

Seems to work, would you mind explaining the logic behind it? Not sure I fully understand how its working!?

somesoni2 · ‎04-20-2017

The if condition check if the value of the field closedtime is either null OR blank (length is 0), if it is, use the current time given in epoch format by function now() and format it to string timestamp using strftime function. If it's neither null nor blank, use the value of field itself.

jacqu3sy · ‎04-21-2017

Great explanation, makes perfect sense. Thanks both.

dineshraj9 · ‎04-20-2017

Thanks @somesoni!

@jacqu3sy - You can modify the parameters to the strftime function to have the time format as you same as the closedtime values - http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Commontimeformatvariables

jacqu3sy · ‎04-21-2017

Thats great, thanks.

fill an occasional Null field with the current time

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability