Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Eval can not concatenate fields where there is a null value

Rob
Splunk Employee
Splunk Employee
‎01-31-2012 12:46 PM

Given that:

Field1="foo"

Field2=""

(Field2 has a null value)

and we use eval to concatenate the two

|eval Field3=Field1.Field2

or

|eval Field3=Field1+Field2

Then Field3 will contain the null value instead "foo". Instead it seems that with a null value we see it overwrite or ignore the non-null values and the whole thing just becomes a null value.

Reply
1 Solution
Solved! Jump to solution
Solution

Rob
Splunk Employee
Splunk Employee
‎01-31-2012 12:49 PM

The workaround for this is to use

|eval Field3=if(isnotnull(Field2), Field1.Field2, Field1)

This would assume that we know that Field1 will always have a value and sometimes Field2 might only contain a null value by using the if() and isnotnull() functions of eval to test whether the field has a NULL value. If there is no NULL value then we concatenate the fields, if there is a NULL value, we simply take the first field that has a value as the value we want to keep.

View solution in original post

Reply
Solved! Jump to solution
Solution

Rob
Splunk Employee
Splunk Employee
‎01-31-2012 12:49 PM

The workaround for this is to use

|eval Field3=if(isnotnull(Field2), Field1.Field2, Field1)

This would assume that we know that Field1 will always have a value and sometimes Field2 might only contain a null value by using the if() and isnotnull() functions of eval to test whether the field has a NULL value. If there is no NULL value then we concatenate the fields, if there is a NULL value, we simply take the first field that has a value as the value we want to keep.

Reply
Solved! Jump to solution

Rob
Splunk Employee
Splunk Employee
‎01-31-2012 01:36 PM

Thanks for that dwaddle! I like it, its sort of temporarily replacing the null value with an empty value and concatenating for a new field.

0 Karma
Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎01-31-2012 01:25 PM

Hi Rob, another option is coalesce

| eval Field3=coalesce(Field1,"").coalesce(Field2,"")
Reply
Get Updates on the Splunk Community!

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...