Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

IF value then string

dlcrooks
Explorer
‎02-12-2018 07:04 AM

I am trying to set the Name to Unknown if the ID is XYZ else populate it with the name value.

I have 

Eval name=if(ID=“XYZ”,”Unknown”, name)

I am getting the name as Null even when I have a fillnull function to change Nulls to Unknown.

Any ideas?

TIA!

Tags (1)
0 Karma
Reply

philipmattocks
Path Finder
‎02-12-2018 07:53 AM

is this a direct copy of the search string you're using? Try using 'straight' quotes, rather than 'curly' ones:

Eval name2=if(ID="XYZ","Unknown", name)
0 Karma
Reply

dlcrooks
Explorer
‎02-12-2018 09:35 AM

No, I using the correct quotes

0 Karma
Reply

493669
Super Champion
‎02-12-2018 09:39 AM

if you could share sample inputs to understand better

0 Karma
Reply

isabel_ycourbe
Path Finder
‎02-12-2018 07:25 AM

If I understand you question correctly, you have cases where ID="XYZ" but you name is null. In that case you need to use | fillnull value="" name before your eval to make sure your names are at least blank (otherwise by default it will be unset hence null).

0 Karma
Reply

dlcrooks
Explorer
‎02-12-2018 09:42 AM

No joy. The name field is still blank as IF statement is not working.

0 Karma
Reply

isabel_ycourbe
Path Finder
‎02-13-2018 12:10 AM

Can you provide a small dataset ?

0 Karma
Reply

isabel_ycourbe
Path Finder
‎02-12-2018 07:08 AM

I'm not sure to understand your question, when do you have null ?

0 Karma
Reply

493669
Super Champion
‎02-12-2018 07:13 AM

are you trying like this:

|Eval name=if(ID=“XYZ”,”Unknown”, name)| fillnull value=Unknown
0 Karma
Reply

dlcrooks
Explorer
‎02-12-2018 08:15 AM

Why doesn’t the IF statement work? I should not have to use the Fillnull!

0 Karma
Reply

isabel_ycourbe
Path Finder
‎02-12-2018 08:21 AM

It actually works as expected, don't forget that splunk will run your pipes one by one, searches is not compiled.

If we take this search
(1)
(2) | eval name=if(id="xyz", "unknown", name)

At (1) your field name will only exists where there is a value, for all rows, it will not be blank, it will not exist and hence be null so at step (2) you will assign null to you field name

If you add a fill null between

(1)
(2) | fillnull value="" name
(3) | eval name=if(id="xyz", "unknown", name)

now at step (2) you field name exist and is set to blank (or whatever value you set).

0 Karma
Reply

dlcrooks
Explorer
‎02-12-2018 07:58 AM

Yes, and still no luck

0 Karma
Reply

dlcrooks
Explorer
‎02-12-2018 08:10 AM

I put the if statement at the end and it works.

0 Karma
Reply

isabel_ycourbe
Path Finder
‎02-12-2018 08:01 AM

You need to do the opposite, first fill nulls, then do your eval.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...