Re: How to check empty values in coalesce?

karthi2809

Hi All,

I have a field called File1 and File2 and I combined in coalesce .In the table but the value is not getting in the table.But if i use File1 directly the value is showing.what is the issue.How to check this not null or something else.

|eval FileList=coalesce(File1,File2)

ITWhisperer

There are isnull() and isnotnull() functions which can be used to evaluate whether the field is null or not

karthi2809

where to use isnotnull() .The value File1 and File2 comes from stats values.And where to check.

ITWhisperer

You are going to have to be more specific - what are you currently doing? what are your current results? what results would you like to get? what do your current events look like? etc.

karthi2809

Yes,let me explain. This the query the table filename is empty.But when add the field value directly in table for example i added FIle1 in the table its showing the values.if i use File1 directly its showing but why its not showing in filename.

|stats values(filename) as File1 values(FileName) as File2
|eval filename=colsec(File1,File2)

|table filename File1

In the result:

filename	File1
	Test

ITWhisperer

There doesn't appear to be anything wrong with what you are doing (I am unable to reproduce what you are seeing with dummy data). I have to conclude it is something about your actual data. Please can you share some anonymised representative sample events which demonstrate the issue you are seeing?

karthi2809

{
  "correlationId" : "3df40a3e4f07-b3ae-8b3ab12fa904",
  
  "timestamp" : "2024-04-03T08:12:12.071Z",
  "content" : {
    "FileName" : "Liability.csv.pgp"
  },
  "applicationName" : "p-abk-finance-api",
  "applicationVersion" : "1.0.1"
  
{
  "correlationId" : "3df40a3e-4f07-b3ae-8b3ab12fa904",
 
  "timestamp" : "2024-04-03T08:12:11.218Z",
  "content" : {
    "message" : "Workday successful",
    "FileList" : [ "_Liability_Accrual.csv.pgp" ],
    "FileName" : ""
  },
  "applicationName" : "p-abk-finance-api",
  {
  "correlationId" : "3df40a3e-4f07-b3ae-8b3ab12fa904",
  
  "timestamp" : "2024-04-03T08:12:10.212Z",
  "content" : {
    "FileName" : ""
  },
  "applicationName" : "p-abk-finance-api",
  "applicationVersion" : "1.0.1",
  "applicationVersion" : "1.0.1"

Please find above events

ITWhisperer

"FileName":"" does not produce a null field, it produces a field with an empty string. This is what you are probably seeing. If you want to cope with this, you should set the FileName and filename fields to null() if they are empty strings

| eval FileName=if(FileName="", null(), FileName)
| eval filename=if(filename="", null(), filename)

How to check empty values in coalesce?

stats

table

transaction

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?