Solved: If column is missing then eval

jiaqya · ‎04-01-2020

if a field is missing in output, what is the query to eval another field to create this missing field.

below query can do it,

|eval missing=anothercolumn.

but to run this query , i need to run it only when the "missing" column is missing.
what is the logic to use..

memarshall63 · ‎04-01-2020

You can use 'if' and 'isnull' to identify whether the field exists, and if not replace it with another field.

| makeresults 
| eval there = "NOTNULL" 
| eval NEWFIELD = if(isnull(notthere),"FIELD IS NULL", "FIELD IS AVAIL") 
| eval NEWFIELD2 = if(isnull(there),"FIELD IS NULL", "FIELD IS AVAIL")

or

| makeresults 
| eval there = "NOTNULL" 
| eval newfield = "NEW"
| eval NEWFIELD = if(isnull(notthere),"FIELD IS NULL", "FIELD IS AVAIL") 
| eval NEWFIELD2 = if(isnull(there),newfield, there)

View solution in original post

memarshall63 · ‎04-01-2020

You can use 'if' and 'isnull' to identify whether the field exists, and if not replace it with another field.

| makeresults 
| eval there = "NOTNULL" 
| eval NEWFIELD = if(isnull(notthere),"FIELD IS NULL", "FIELD IS AVAIL") 
| eval NEWFIELD2 = if(isnull(there),"FIELD IS NULL", "FIELD IS AVAIL")

or

| makeresults 
| eval there = "NOTNULL" 
| eval newfield = "NEW"
| eval NEWFIELD = if(isnull(notthere),"FIELD IS NULL", "FIELD IS AVAIL") 
| eval NEWFIELD2 = if(isnull(there),newfield, there)

jiaqya · ‎04-01-2020

This works good, thanks, can i ask for another help.

the eval missing=newcolumn.

the new column is the last column in the table which im evaling with missing.
how do i eval the last column to be missing..

jiaqya · ‎04-01-2020

simplifying this even further,.

if column "missing" is missing, then eval it with 12th column( this wont change )

to identify "missing" is actually missing, i am using your above code... of if and isnull

memarshall63 · ‎04-01-2020

That's a tougher question.

The only way I'd know how to do that is to leave the values in a string, split it, and then use mvindex to index the 12th value in the split.

| makeresults 
| eval message = "this,is,the,fourth,fifth,sixth,value" 
| eval new_mvfield = split(message,",") 
| eval FOURTH = mvindex(new_mvfield,3)
| eval FIFTH = mvindex(new_mvfield,4)
| eval LAST = mvindex(new_mvfield,-1)

jiaqya · ‎04-01-2020

thanks, luckily my column names are months, ie last 12 months, so my last column as of today is 'Apr 2020' followed by the 'Missing' column.

so i got the 'Apr 2020' using eval as below, but when i eval it with "missing" , it prints the actual value.
how to treat the value to be a column during eval on 2nd line...

|eval ThisMonth=strftime(relative_time(now(), "-0d"), "%b %Y")
| eval Missing = if(isnull(Missing),ThisMonth, Missing)
|fields - ThisMonth

output below :

Apr 2020 Missing
99.62 Apr 2020
99.37 Apr 2020
99.16 Apr 2020
99.42 Apr 2020

basically want the values of Apr 2020 to be under Missing, like below.

Apr 2020 Missing
99.62 99.62
99.37 99.37
99.16 99.16
99.42 99.42

If column is missing then eval

eval

Can’t make it to .conf25? Join us online!

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Customer success is front and center at .conf25

Are you a member of the Splunk Community?