Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

IF value then string

dlcrooks
Explorer
‎02-12-2018 07:04 AM

I am trying to set the Name to Unknown if the ID is XYZ else populate it with the name value.

I have 

Eval name=if(ID=“XYZ”,”Unknown”, name)

I am getting the name as Null even when I have a fillnull function to change Nulls to Unknown.

Any ideas?

TIA!

Tags (1)
0 Karma
Reply

philipmattocks
Path Finder
‎02-12-2018 07:53 AM

is this a direct copy of the search string you're using? Try using 'straight' quotes, rather than 'curly' ones:

Eval name2=if(ID="XYZ","Unknown", name)
0 Karma
Reply

dlcrooks
Explorer
‎02-12-2018 09:35 AM

No, I using the correct quotes

0 Karma
Reply

493669
Super Champion
‎02-12-2018 09:39 AM

if you could share sample inputs to understand better

0 Karma
Reply

isabel_ycourbe
Path Finder
‎02-12-2018 07:25 AM

If I understand you question correctly, you have cases where ID="XYZ" but you name is null. In that case you need to use | fillnull value="" name before your eval to make sure your names are at least blank (otherwise by default it will be unset hence null).

0 Karma
Reply

dlcrooks
Explorer
‎02-12-2018 09:42 AM

No joy. The name field is still blank as IF statement is not working.

0 Karma
Reply

isabel_ycourbe
Path Finder
‎02-13-2018 12:10 AM

Can you provide a small dataset ?

0 Karma
Reply

isabel_ycourbe
Path Finder
‎02-12-2018 07:08 AM

I'm not sure to understand your question, when do you have null ?

0 Karma
Reply

493669
Super Champion
‎02-12-2018 07:13 AM

are you trying like this:

|Eval name=if(ID=“XYZ”,”Unknown”, name)| fillnull value=Unknown
0 Karma
Reply

dlcrooks
Explorer
‎02-12-2018 08:15 AM

Why doesn’t the IF statement work? I should not have to use the Fillnull!

0 Karma
Reply

isabel_ycourbe
Path Finder
‎02-12-2018 08:21 AM

It actually works as expected, don't forget that splunk will run your pipes one by one, searches is not compiled.

If we take this search
(1)
(2) | eval name=if(id="xyz", "unknown", name)

At (1) your field name will only exists where there is a value, for all rows, it will not be blank, it will not exist and hence be null so at step (2) you will assign null to you field name

If you add a fill null between

(1)
(2) | fillnull value="" name
(3) | eval name=if(id="xyz", "unknown", name)

now at step (2) you field name exist and is set to blank (or whatever value you set).

0 Karma
Reply

dlcrooks
Explorer
‎02-12-2018 07:58 AM

Yes, and still no luck

0 Karma
Reply

dlcrooks
Explorer
‎02-12-2018 08:10 AM

I put the if statement at the end and it works.

0 Karma
Reply

isabel_ycourbe
Path Finder
‎02-12-2018 08:01 AM

You need to do the opposite, first fill nulls, then do your eval.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...