Re: Splunk coalesce

yuvaraj_m91 · ‎12-21-2023

index="********"
message_type =ERROR correlation_id="*"
| eval err_field1 = spath(_raw,"response_details.body")
| eval err_field2 = spath(_raw,"response_details")
| eval err_field3 = spath(_raw,"error")
| eval err_field4 = spath(_raw,"message")
| eval err_final=coalesce(err_field1,err_field2,err_field3,err_field4)
| table err_field1 err_field2 err_field3 err_field4 err_final

i have the fields populating for err_field3 and err_field4.. but its not populating in the err_final.

Attached the screenshot for reference

dtburrows3 · ‎12-21-2023

In these kinds of situations in Splunk I generally do something like this to replace empty strings with actual null values.

    | foreach err_field*
        [
            | eval
                <<FIELD>>=if(
                    '<<FIELD>>'=="" OR match('<<FIELD>>', "^\s*$"),
                        null(),
                        '<<FIELD>>'
                    )
            ]
    | eval
        err_final=coalesce(err_field1, err_field2, err_field3, err_field4)

You can see the coalesce works as expected after replacing nullifying the empty strings.

Note: this is also replacing any values in the err_field* fields that is only whitespace in addition to empty strings.

richgalloway · ‎12-21-2023

It looks like err_field1contains an empty string. If it was null then err_final would be set to err_field2 or err_field3.

---
If this reply helps you, Karma would be appreciated.

Splunk coalesce

fields

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)

Are you a member of the Splunk Community?

Splunk coalesce

fields

Detecting Brute Force Account Takeover Fraud with Splunk

Buttercup Games: Further Dashboarding Techniques (Part 9)

Buttercup Games: Further Dashboarding Techniques (Part 8)