Splunk Search

IF value then string

dlcrooks
Engager

I am trying to set the Name to Unknown if the ID is XYZ else populate it with the name value.

I have

Eval name=if(ID=“XYZ”,”Unknown”, name)

I am getting the name as Null even when I have a fillnull function to change Nulls to Unknown.

Any ideas?

TIA!

Tags (1)
0 Karma

philipmattocks
Path Finder

is this a direct copy of the search string you're using? Try using 'straight' quotes, rather than 'curly' ones:

Eval name2=if(ID="XYZ","Unknown", name)
0 Karma

dlcrooks
Engager

No, I using the correct quotes

0 Karma

493669
Super Champion

if you could share sample inputs to understand better

0 Karma

isabel_ycourbe
Path Finder

If I understand you question correctly, you have cases where ID="XYZ" but you name is null. In that case you need to use | fillnull value="" name before your eval to make sure your names are at least blank (otherwise by default it will be unset hence null).

0 Karma

dlcrooks
Engager

No joy. The name field is still blank as IF statement is not working.

0 Karma

isabel_ycourbe
Path Finder

Can you provide a small dataset ?

0 Karma

isabel_ycourbe
Path Finder

I'm not sure to understand your question, when do you have null ?

0 Karma

493669
Super Champion

are you trying like this:

|Eval name=if(ID=“XYZ”,”Unknown”, name)| fillnull value=Unknown
0 Karma

dlcrooks
Engager

Why doesn’t the IF statement work? I should not have to use the Fillnull!

0 Karma

isabel_ycourbe
Path Finder

It actually works as expected, don't forget that splunk will run your pipes one by one, searches is not compiled.

If we take this search
(1)
(2) | eval name=if(id="xyz", "unknown", name)

At (1) your field name will only exists where there is a value, for all rows, it will not be blank, it will not exist and hence be null so at step (2) you will assign null to you field name

If you add a fill null between

(1)
(2) | fillnull value="" name
(3) | eval name=if(id="xyz", "unknown", name)

now at step (2) you field name exist and is set to blank (or whatever value you set).

0 Karma

dlcrooks
Engager

Yes, and still no luck

0 Karma

dlcrooks
Engager

I put the if statement at the end and it works.

0 Karma

isabel_ycourbe
Path Finder

You need to do the opposite, first fill nulls, then do your eval.

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>