Re: Splunk coalesce

yuvaraj_m91 · ‎12-21-2023

index="********"
message_type =ERROR correlation_id="*"
| eval err_field1 = spath(_raw,"response_details.body")
| eval err_field2 = spath(_raw,"response_details")
| eval err_field3 = spath(_raw,"error")
| eval err_field4 = spath(_raw,"message")
| eval err_final=coalesce(err_field1,err_field2,err_field3,err_field4)
| table err_field1 err_field2 err_field3 err_field4 err_final

i have the fields populating for err_field3 and err_field4.. but its not populating in the err_final.

Attached the screenshot for reference

dtburrows3 · ‎12-21-2023

In these kinds of situations in Splunk I generally do something like this to replace empty strings with actual null values.

    | foreach err_field*
        [
            | eval
                <<FIELD>>=if(
                    '<<FIELD>>'=="" OR match('<<FIELD>>', "^\s*$"),
                        null(),
                        '<<FIELD>>'
                    )
            ]
    | eval
        err_final=coalesce(err_field1, err_field2, err_field3, err_field4)

You can see the coalesce works as expected after replacing nullifying the empty strings.

Note: this is also replacing any values in the err_field* fields that is only whitespace in addition to empty strings.

richgalloway · ‎12-21-2023

It looks like err_field1contains an empty string. If it was null then err_final would be set to err_field2 or err_field3.

---
If this reply helps you, Karma would be appreciated.

Splunk coalesce

fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Developer Spotlight with Mika Borner

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

Join the Conversation