Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

iplocation: How to replace null or empty string City field with "Unknown"?

Matthias_BY
Communicator
‎08-20-2014 06:42 AM

Hello,

i have several search results where the City Field ist after IPLocation not filled up. i recognized it already that simply for such an IP there is no City Information available - only Country.

In Splunk no values are shown as "blank" or whatever values - i like to convert them to "Unknown" in the report. i tried already fill null but it did not work. can someone help? maybe with eval City=if(City="")?

alt text

Thx a lot
Matthias

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎08-20-2014 06:59 AM

The mean thing here is that City sometimes is null, sometimes it's the empty string. Apparently it's null only if there is no location info whatsoever, but the empty string if there is some location info but no city. Here's an example:

| stats count | eval clientip = "127.0.0.1 8.8.8.8" | makemv clientip | mvexpand clientip | iplocation clientip | eval null = if(isnull(City), "yes", "no")

For me it translates Google's public DNS into "somewhere in the US" with City="", and it doesn't know anything about localhost leaving City=null. That's why your fillnull fails, and short-hand functions such as coalesce() would fail as well.

To address both cases you could do this:

... | eval City = if(isnull(City) OR City="", "Unknown", City)

Maybe move that to a macro and do the same for Country.

You could also use this, but it's not a lot prettier than the if() expression above.

... | fillnull value="Unknown" City | replace "" with "Unknown" in City

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎08-20-2014 06:59 AM

The mean thing here is that City sometimes is null, sometimes it's the empty string. Apparently it's null only if there is no location info whatsoever, but the empty string if there is some location info but no city. Here's an example:

| stats count | eval clientip = "127.0.0.1 8.8.8.8" | makemv clientip | mvexpand clientip | iplocation clientip | eval null = if(isnull(City), "yes", "no")

For me it translates Google's public DNS into "somewhere in the US" with City="", and it doesn't know anything about localhost leaving City=null. That's why your fillnull fails, and short-hand functions such as coalesce() would fail as well.

To address both cases you could do this:

... | eval City = if(isnull(City) OR City="", "Unknown", City)

Maybe move that to a macro and do the same for Country.

You could also use this, but it's not a lot prettier than the if() expression above.

... | fillnull value="Unknown" City | replace "" with "Unknown" in City
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎08-20-2014 07:37 AM

Gerne! 🙂

0 Karma
Reply
Solved! Jump to solution

Matthias_BY
Communicator
‎08-20-2014 07:29 AM

perfect

eval City = if(isnull(City) OR City="", "Unknown", City)

is doing it! thanks for your nearly real time support and solution!

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...