Re: If "null" command

super_saiyan · ‎07-28-2022

Hi splunkers,

I want to use "null" command in below query. If the message is "null" then it should replace with the below message otherwise it should only display the already extracted message.

| eval message= if(Actor="superman","super hero", if(Actor="emma watson","model"))

Thanks.

somesoni2 · ‎07-28-2022

Give this a try

| eval message= coalesce(message,case(Actor="superman","super hero",Actor="emma watson","model", true(),"NA"))

super_saiyan · ‎07-28-2022

Thanks for your quick response @somesoni2
could you please also provide the spl using "isnull" ?

Really appreciate your support.

somesoni2 · ‎07-29-2022

| eval message= if(isnotnull(message),message,case(Actor="superman","super hero",Actor="emma watson","model", true(),"NA"))

inventsekar · ‎07-28-2022

Hi @super_saiyan ... please check this isnull():

|makeresults | eval Actor="emma watson" 
| eval message = if(isnull(message),if(Actor="superman","super hero", if(Actor="emma watson","model", "not emma")),message) | table message

super_saiyan · ‎07-28-2022

I am getting error while using the below SPL Query

Could you please help me with that ?

appreciate your help.

inventsekar · ‎07-29-2022

Hi @super_saiyan .. your "if" format was wrong.. pls check this..

|makeresults | eval Actor="emma watson" | eval message = if(isnull(message, null(),if(Actor="superman","super hero", if(Actor="emma watson","model", "not emma")) | table message

could you pls check this and update us with some more details:

>>> If the message is "null" then it should replace with the below message.

>>> otherwise it should only display the already extracted message.

Help with if "null" command

other

troubleshooting

.conf23 Registration is Now Open!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control