Solved: Any difference between NULL and null() in eval?

helge · ‎07-20-2017

In an eval expression, is there any difference between using NULL and null()?

Use case: I want to return null in an eval expression. I am finding that the following two expressions give the same result and I want to make sure that both are officially correct:

if (isnotnull (fieldX), fieldX * 10, NULL)
if (isnotnull (fieldX), fieldX * 10, null())

woodcock · ‎07-20-2017

In the former case, you are setting it to the value of the field named NULL, which in your case, clearly doesn't exist right now HOWEVER that might not always be the case. It is equivalent to if(isnotnull(fieldX), fieldX*10, ThisFieldNameDoesNotExistSoTheValueThatItHasAlsoDoesNotExistSoRightNowThisEvaluatesToNULL). So it is very poor practice to use the former and you should use the latter.

View solution in original post

woodcock · ‎07-20-2017

In the former case, you are setting it to the value of the field named NULL, which in your case, clearly doesn't exist right now HOWEVER that might not always be the case. It is equivalent to if(isnotnull(fieldX), fieldX*10, ThisFieldNameDoesNotExistSoTheValueThatItHasAlsoDoesNotExistSoRightNowThisEvaluatesToNULL). So it is very poor practice to use the former and you should use the latter.

helge · ‎07-20-2017

Now you mention it the answer is quite obvious 😉
Thanks!

DalJeanis · ‎07-20-2017

Ah yes, The Field Who Must Not Be Named...

Any difference between NULL and null() in eval?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

Any difference between NULL and null() in eval?

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR