I am trying to set the Name to Unknown if the ID is XYZ else populate it with the name value.
Eval name=if(ID=“XYZ”,”Unknown”, name)
I am getting the name as Null even when I have a fillnull function to change Nulls to Unknown.
If I understand you question correctly, you have cases where ID="XYZ" but you name is null. In that case you need to use
| fillnull value="" name before your eval to make sure your names are at least blank (otherwise by default it will be unset hence
It actually works as expected, don't forget that splunk will run your pipes one by one, searches is not compiled.
If we take this search
(2) | eval name=if(id="xyz", "unknown", name)
At (1) your field
name will only exists where there is a value, for all rows, it will not be blank, it will not exist and hence be null so at step (2) you will assign null to you field name
If you add a fill null between
(2) | fillnull value="" name
(3) | eval name=if(id="xyz", "unknown", name)
now at step (2) you field name exist and is set to blank (or whatever value you set).