Splunk Enterprise

what happened to eval ifnull(,,)?

bochmann
Path Finder

Hi -

I have a few dashboards that use expressions like

eval var=ifnull(x,"true","false")

...which assigns "true" or "false" to var depending on x being NULL

Those dashboards still work, but I notice that ifnull() does not show up in any of the current documentation, and it seems the current way to get the same result would be

eval var=if(isnull(x),"true","false")

Did I miss some kind of deprecation of that syntax ages ago (must have been before 6.3.0), and it just happens to still be parsed?

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

I can't say I've ever seen ifnull documented, but system/default/searchbnf.conf says it's an alias for coalesce.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

I can't say I've ever seen ifnull documented, but system/default/searchbnf.conf says it's an alias for coalesce.

---
If this reply helps you, Karma would be appreciated.

bochmann
Path Finder

Huh. Reading the documentation for coalesce, I can see how this happens to work for specific cases where you want to keep the original value of x  if it's not NULL, and fill in something else if it is.

...which is not what I showed in my example above, but exactly what happens in the dashboard I'm looking at, and where the third parameter is just bogus. Ouch.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...