Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search result evaluates to true when it is false

shaunm001
Path Finder
‎01-28-2025 09:20 AM

Hello, trying to figure out why this eval statement testing for a null value always evaluates to "true", even when the field does contain data:

shaunm001_1-1738084615547.png

Here is what the data looks like in the results:

shaunm001_2-1738084765526.png

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

alex_tc80
Explorer
‎01-28-2025 10:30 AM

Hi, use spath : https://docs.splunk.com/Documentation/Splunk/9.4.0/SearchReference/Spath

To see why it happens, add and eval with just | eval subject2=Item.Subject ... | table ..., subject2 
(subject2 be null)

I have a splunk index in JSON that has the key SRV and key CONTENT_LENGTH.
If i do

index=someindex 
| eval CONTENT_TYPE=if(isnull(SRV.CONTENT_TYPE),"true","false") 
| table SRV.CONTENT_TYPE, CONTENT_TYPE

I will get the same problem as you do.

But like below, i dont :

index=someindex 
| spath output=qwe "SRV.CONTENT_TYPE" 
| eval CONTENT_TYPE=if(isnull(qwe),"true","false") 
| table SRV.CONTENT_TYPE, CONTENT_TYPE

 

 

View solution in original post

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎01-29-2025 02:21 AM

You are doing

isnull(Item.Subject)

Since you are not enclosing the Item.Subject part in quotes (in this case - you should use single quotes) Splunk treats Item and Subject as separate field names and tries to concatenate (the dot operator) their values. Since you have no fields called neither Item nor Subject in your data, the result of joining two null values is of course null as well.

You should do

isnull('Item.Subject')

to get a correct result.

Spath is not needed and since Splunk has already done automatic json extraction, it's a needless performance hit.

Reply
Solved! Jump to solution

shaunm001
Path Finder
‎01-29-2025 08:11 AM

Great, this also works and is actually simpler than the spath solution, thanks!

0 Karma
Reply
Solved! Jump to solution
Solution

alex_tc80
Explorer
‎01-28-2025 10:30 AM

Hi, use spath : https://docs.splunk.com/Documentation/Splunk/9.4.0/SearchReference/Spath

To see why it happens, add and eval with just | eval subject2=Item.Subject ... | table ..., subject2 
(subject2 be null)

I have a splunk index in JSON that has the key SRV and key CONTENT_LENGTH.
If i do

index=someindex 
| eval CONTENT_TYPE=if(isnull(SRV.CONTENT_TYPE),"true","false") 
| table SRV.CONTENT_TYPE, CONTENT_TYPE

I will get the same problem as you do.

But like below, i dont :

index=someindex 
| spath output=qwe "SRV.CONTENT_TYPE" 
| eval CONTENT_TYPE=if(isnull(qwe),"true","false") 
| table SRV.CONTENT_TYPE, CONTENT_TYPE

 

 

Reply
Solved! Jump to solution

shaunm001
Path Finder
‎01-28-2025 10:45 AM

Ahh..thanks, this was killing me. I was also having trouble with the eval statement checking an array value (kept erroring out), but seems like spath was the key there as well. 

This ended up working for me:

index=someindex
| spath output=sentSubject "Item.Subject"
| spath output=receivedSubject "AffectedItems{}.Subject"
| eval subject = if(isnull(sentSubject),receivedSubject,sentSubject)
| table UserId,subject,Operation, _time

 

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...