Splunk Search

How to check empty values in coalesce?

karthi2809
Builder

Hi All,

I have a field called File1 and File2  and I combined in coalesce .In the table but the value is not getting in the table.But if i use File1 directly the value is showing.what is the issue.How to check this not null or something else.

 

|eval FileList=coalesce(File1,File2)

Labels (3)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

There are isnull() and isnotnull() functions which can be used to evaluate whether the field is null or not

0 Karma

karthi2809
Builder

where to use isnotnull() .The value File1 and File2 comes from stats values.And where to check.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You are going to have to be more specific - what are you currently doing? what are your current results? what results would you like to get? what do your current events look like? etc.

0 Karma

karthi2809
Builder

Yes,let me explain. This the query the table filename is empty.But when add the field value directly in table for example i added FIle1 in the table its showing the values.if i use File1 directly its showing but why its not showing in filename.

|stats values(filename) as  File1 values(FileName) as File2
|eval filename=colsec(File1,File2)

|table filename  File1

In the result:

filenameFile1
 Test
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

There doesn't appear to be anything wrong with what you are doing (I am unable to reproduce what you are seeing with dummy data). I have to conclude it is something about your actual data. Please can you share some anonymised representative sample events which demonstrate the issue you are seeing?

0 Karma

karthi2809
Builder
{
  "correlationId" : "3df40a3e4f07-b3ae-8b3ab12fa904",
  
  "timestamp" : "2024-04-03T08:12:12.071Z",
  "content" : {
    "FileName" : "Liability.csv.pgp"
  },
  "applicationName" : "p-abk-finance-api",
  "applicationVersion" : "1.0.1"
  
{
  "correlationId" : "3df40a3e-4f07-b3ae-8b3ab12fa904",
 
  "timestamp" : "2024-04-03T08:12:11.218Z",
  "content" : {
    "message" : "Workday successful",
    "FileList" : [ "_Liability_Accrual.csv.pgp" ],
    "FileName" : ""
  },
  "applicationName" : "p-abk-finance-api",
  {
  "correlationId" : "3df40a3e-4f07-b3ae-8b3ab12fa904",
  
  "timestamp" : "2024-04-03T08:12:10.212Z",
  "content" : {
    "FileName" : ""
  },
  "applicationName" : "p-abk-finance-api",
  "applicationVersion" : "1.0.1",
  "applicationVersion" : "1.0.1"

Please find above events

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

"FileName":"" does not produce a null field, it produces a field with an empty string. This is what you are probably seeing. If you want to cope with this, you should set the FileName and filename fields to null() if they are empty strings

| eval FileName=if(FileName="", null(), FileName)
| eval filename=if(filename="", null(), filename)
0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...