Solved: what happened to eval ifnull(,,)?

bochmann · ‎10-01-2021

Hi -

I have a few dashboards that use expressions like

eval var=ifnull(x,"true","false")

...which assigns "true" or "false" to var depending on x being NULL

Those dashboards still work, but I notice that ifnull() does not show up in any of the current documentation, and it seems the current way to get the same result would be

eval var=if(isnull(x),"true","false")

Did I miss some kind of deprecation of that syntax ages ago (must have been before 6.3.0), and it just happens to still be parsed?

richgalloway · ‎10-01-2021

I can't say I've ever seen ifnull documented, but system/default/searchbnf.conf says it's an alias for coalesce.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎10-01-2021

I can't say I've ever seen ifnull documented, but system/default/searchbnf.conf says it's an alias for coalesce.

---
If this reply helps you, Karma would be appreciated.

bochmann · ‎10-01-2021

Huh. Reading the documentation for coalesce, I can see how this happens to work for specific cases where you want to keep the original value of x if it's not NULL, and fill in something else if it is.

...which is not what I showed in my example above, but exactly what happens in the dashboard I'm looking at, and where the third parameter is just bogus. Ouch.

what happened to eval ifnull(,,)?

using Splunk Enterprise

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

what happened to eval ifnull(,,)?

using Splunk Enterprise

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!