Splunk Enterprise

what happened to eval ifnull(,,)?

bochmann
Path Finder

Hi -

I have a few dashboards that use expressions like

eval var=ifnull(x,"true","false")

...which assigns "true" or "false" to var depending on x being NULL

Those dashboards still work, but I notice that ifnull() does not show up in any of the current documentation, and it seems the current way to get the same result would be

eval var=if(isnull(x),"true","false")

Did I miss some kind of deprecation of that syntax ages ago (must have been before 6.3.0), and it just happens to still be parsed?

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

I can't say I've ever seen ifnull documented, but system/default/searchbnf.conf says it's an alias for coalesce.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

I can't say I've ever seen ifnull documented, but system/default/searchbnf.conf says it's an alias for coalesce.

---
If this reply helps you, Karma would be appreciated.

bochmann
Path Finder

Huh. Reading the documentation for coalesce, I can see how this happens to work for specific cases where you want to keep the original value of x  if it's not NULL, and fill in something else if it is.

...which is not what I showed in my example above, but exactly what happens in the dashboard I'm looking at, and where the third parameter is just bogus. Ouch.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...