Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to check empty values in coalesce?

karthi2809
Builder
‎04-29-2024 05:38 AM

Hi All,

I have a field called File1 and File2  and I combined in coalesce .In the table but the value is not getting in the table.But if i use File1 directly the value is showing.what is the issue.How to check this not null or something else.

 

|eval FileList=coalesce(File1,File2)

Labels (3)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-29-2024 05:49 AM

There are isnull() and isnotnull() functions which can be used to evaluate whether the field is null or not

0 Karma
Reply

karthi2809
Builder
‎04-29-2024 05:54 AM

where to use isnotnull() .The value File1 and File2 comes from stats values.And where to check.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-29-2024 06:01 AM

You are going to have to be more specific - what are you currently doing? what are your current results? what results would you like to get? what do your current events look like? etc.

0 Karma
Reply

karthi2809
Builder
‎04-29-2024 06:08 AM

Yes,let me explain. This the query the table filename is empty.But when add the field value directly in table for example i added FIle1 in the table its showing the values.if i use File1 directly its showing but why its not showing in filename.

|stats values(filename) as  File1 values(FileName) as File2
|eval filename=colsec(File1,File2)

|table filename  File1

In the result:

filenameFile1
 Test
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-29-2024 06:21 AM

There doesn't appear to be anything wrong with what you are doing (I am unable to reproduce what you are seeing with dummy data). I have to conclude it is something about your actual data. Please can you share some anonymised representative sample events which demonstrate the issue you are seeing?

0 Karma
Reply

karthi2809
Builder
‎04-29-2024 06:35 AM 
{
  "correlationId" : "3df40a3e4f07-b3ae-8b3ab12fa904",
  
  "timestamp" : "2024-04-03T08:12:12.071Z",
  "content" : {
    "FileName" : "Liability.csv.pgp"
  },
  "applicationName" : "p-abk-finance-api",
  "applicationVersion" : "1.0.1"
  
{
  "correlationId" : "3df40a3e-4f07-b3ae-8b3ab12fa904",
 
  "timestamp" : "2024-04-03T08:12:11.218Z",
  "content" : {
    "message" : "Workday successful",
    "FileList" : [ "_Liability_Accrual.csv.pgp" ],
    "FileName" : ""
  },
  "applicationName" : "p-abk-finance-api",
  {
  "correlationId" : "3df40a3e-4f07-b3ae-8b3ab12fa904",
  
  "timestamp" : "2024-04-03T08:12:10.212Z",
  "content" : {
    "FileName" : ""
  },
  "applicationName" : "p-abk-finance-api",
  "applicationVersion" : "1.0.1",
  "applicationVersion" : "1.0.1"

Please find above events

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-29-2024 08:12 AM

"FileName":"" does not produce a null field, it produces a field with an empty string. This is what you are probably seeing. If you want to cope with this, you should set the FileName and filename fields to null() if they are empty strings

| eval FileName=if(FileName="", null(), FileName)
| eval filename=if(filename="", null(), filename)
0 Karma
Reply
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Top