I am trying to set the Name to Unknown if the ID is XYZ else populate it with the name value.
I have
Eval name=if(ID=“XYZ”,”Unknown”, name)
I am getting the name as Null even when I have a fillnull function to change Nulls to Unknown.
Any ideas?
TIA!
is this a direct copy of the search string you're using? Try using 'straight' quotes, rather than 'curly' ones:
Eval name2=if(ID="XYZ","Unknown", name)
No, I using the correct quotes
if you could share sample inputs to understand better
If I understand you question correctly, you have cases where ID="XYZ" but you name is null. In that case you need to use | fillnull value="" name
before your eval to make sure your names are at least blank (otherwise by default it will be unset hence null
).
No joy. The name field is still blank as IF statement is not working.
Can you provide a small dataset ?
I'm not sure to understand your question, when do you have null ?
are you trying like this:
|Eval name=if(ID=“XYZ”,”Unknown”, name)| fillnull value=Unknown
Why doesn’t the IF statement work? I should not have to use the Fillnull!
It actually works as expected, don't forget that splunk will run your pipes one by one, searches is not compiled.
If we take this search
(1)
(2) | eval name=if(id="xyz", "unknown", name)
At (1) your field name
will only exists where there is a value, for all rows, it will not be blank, it will not exist and hence be null so at step (2) you will assign null to you field name
If you add a fill null between
(1)
(2) | fillnull value="" name
(3) | eval name=if(id="xyz", "unknown", name)
now at step (2) you field name exist and is set to blank (or whatever value you set).
Yes, and still no luck
I put the if statement at the end and it works.
You need to do the opposite, first fill nulls, then do your eval.