Solved: Any difference between NULL and null() in eval?

helge · ‎07-20-2017

In an eval expression, is there any difference between using NULL and null()?

Use case: I want to return null in an eval expression. I am finding that the following two expressions give the same result and I want to make sure that both are officially correct:

if (isnotnull (fieldX), fieldX * 10, NULL)
if (isnotnull (fieldX), fieldX * 10, null())

woodcock · ‎07-20-2017

In the former case, you are setting it to the value of the field named NULL, which in your case, clearly doesn't exist right now HOWEVER that might not always be the case. It is equivalent to if(isnotnull(fieldX), fieldX*10, ThisFieldNameDoesNotExistSoTheValueThatItHasAlsoDoesNotExistSoRightNowThisEvaluatesToNULL). So it is very poor practice to use the former and you should use the latter.

View solution in original post

woodcock · ‎07-20-2017

In the former case, you are setting it to the value of the field named NULL, which in your case, clearly doesn't exist right now HOWEVER that might not always be the case. It is equivalent to if(isnotnull(fieldX), fieldX*10, ThisFieldNameDoesNotExistSoTheValueThatItHasAlsoDoesNotExistSoRightNowThisEvaluatesToNULL). So it is very poor practice to use the former and you should use the latter.

helge · ‎07-20-2017

Now you mention it the answer is quite obvious 😉
Thanks!

DalJeanis · ‎07-20-2017

Ah yes, The Field Who Must Not Be Named...

Any difference between NULL and null() in eval?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM