Splunk Search

How to check empty values in coalesce?

karthi2809
Builder

Hi All,

I have a field called File1 and File2  and I combined in coalesce .In the table but the value is not getting in the table.But if i use File1 directly the value is showing.what is the issue.How to check this not null or something else.

 

|eval FileList=coalesce(File1,File2)

Labels (3)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

There are isnull() and isnotnull() functions which can be used to evaluate whether the field is null or not

0 Karma

karthi2809
Builder

where to use isnotnull() .The value File1 and File2 comes from stats values.And where to check.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You are going to have to be more specific - what are you currently doing? what are your current results? what results would you like to get? what do your current events look like? etc.

0 Karma

karthi2809
Builder

Yes,let me explain. This the query the table filename is empty.But when add the field value directly in table for example i added FIle1 in the table its showing the values.if i use File1 directly its showing but why its not showing in filename.

|stats values(filename) as  File1 values(FileName) as File2
|eval filename=colsec(File1,File2)

|table filename  File1

In the result:

filenameFile1
 Test
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

There doesn't appear to be anything wrong with what you are doing (I am unable to reproduce what you are seeing with dummy data). I have to conclude it is something about your actual data. Please can you share some anonymised representative sample events which demonstrate the issue you are seeing?

0 Karma

karthi2809
Builder
{
  "correlationId" : "3df40a3e4f07-b3ae-8b3ab12fa904",
  
  "timestamp" : "2024-04-03T08:12:12.071Z",
  "content" : {
    "FileName" : "Liability.csv.pgp"
  },
  "applicationName" : "p-abk-finance-api",
  "applicationVersion" : "1.0.1"
  
{
  "correlationId" : "3df40a3e-4f07-b3ae-8b3ab12fa904",
 
  "timestamp" : "2024-04-03T08:12:11.218Z",
  "content" : {
    "message" : "Workday successful",
    "FileList" : [ "_Liability_Accrual.csv.pgp" ],
    "FileName" : ""
  },
  "applicationName" : "p-abk-finance-api",
  {
  "correlationId" : "3df40a3e-4f07-b3ae-8b3ab12fa904",
  
  "timestamp" : "2024-04-03T08:12:10.212Z",
  "content" : {
    "FileName" : ""
  },
  "applicationName" : "p-abk-finance-api",
  "applicationVersion" : "1.0.1",
  "applicationVersion" : "1.0.1"

Please find above events

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

"FileName":"" does not produce a null field, it produces a field with an empty string. This is what you are probably seeing. If you want to cope with this, you should set the FileName and filename fields to null() if they are empty strings

| eval FileName=if(FileName="", null(), FileName)
| eval filename=if(filename="", null(), filename)
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...