Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- If column is missing then eval
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if a field is missing in output, what is the query to eval another field to create this missing field.
below query can do it,
|eval missing=anothercolumn.
but to run this query , i need to run it only when the "missing" column is missing.
what is the logic to use..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use 'if' and 'isnull' to identify whether the field exists, and if not replace it with another field.
| makeresults
| eval there = "NOTNULL"
| eval NEWFIELD = if(isnull(notthere),"FIELD IS NULL", "FIELD IS AVAIL")
| eval NEWFIELD2 = if(isnull(there),"FIELD IS NULL", "FIELD IS AVAIL")
or
| makeresults
| eval there = "NOTNULL"
| eval newfield = "NEW"
| eval NEWFIELD = if(isnull(notthere),"FIELD IS NULL", "FIELD IS AVAIL")
| eval NEWFIELD2 = if(isnull(there),newfield, there)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use 'if' and 'isnull' to identify whether the field exists, and if not replace it with another field.
| makeresults
| eval there = "NOTNULL"
| eval NEWFIELD = if(isnull(notthere),"FIELD IS NULL", "FIELD IS AVAIL")
| eval NEWFIELD2 = if(isnull(there),"FIELD IS NULL", "FIELD IS AVAIL")
or
| makeresults
| eval there = "NOTNULL"
| eval newfield = "NEW"
| eval NEWFIELD = if(isnull(notthere),"FIELD IS NULL", "FIELD IS AVAIL")
| eval NEWFIELD2 = if(isnull(there),newfield, there)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works good, thanks, can i ask for another help.
the eval missing=newcolumn.
the new column is the last column in the table which im evaling with missing.
how do i eval the last column to be missing..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
simplifying this even further,.
if column "missing" is missing, then eval it with 12th column( this wont change )
to identify "missing" is actually missing, i am using your above code... of if and isnull
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's a tougher question.
The only way I'd know how to do that is to leave the values in a string, split it, and then use mvindex to index the 12th value in the split.
| makeresults
| eval message = "this,is,the,fourth,fifth,sixth,value"
| eval new_mvfield = split(message,",")
| eval FOURTH = mvindex(new_mvfield,3)
| eval FIFTH = mvindex(new_mvfield,4)
| eval LAST = mvindex(new_mvfield,-1)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks, luckily my column names are months, ie last 12 months, so my last column as of today is 'Apr 2020' followed by the 'Missing' column.
so i got the 'Apr 2020' using eval as below, but when i eval it with "missing" , it prints the actual value.
how to treat the value to be a column during eval on 2nd line...
|eval ThisMonth=strftime(relative_time(now(), "-0d"), "%b %Y")
| eval Missing = if(isnull(Missing),ThisMonth, Missing)
|fields - ThisMonth
output below :
Apr 2020 Missing
99.62 Apr 2020
99.37 Apr 2020
99.16 Apr 2020
99.42 Apr 2020
basically want the values of Apr 2020 to be under Missing, like below.
Apr 2020 Missing
99.62 99.62
99.37 99.37
99.16 99.16
99.42 99.42
Observe and Secure All Apps with Splunk
What's New in Splunk Observability - August 2025
Introduction to Splunk AI
