Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

If one field null, populate another field with 0

cooperjaram
Engager
‎03-03-2020 09:40 AM

Hello Splunkers,

I have two fields that correlate. One field is hostname and another field is score. When I try to get an average of the score I get a incorrect value due to it calculating the score field even though the hostname is null and not representing anything. Is there a way to use if(isnull) or any other eval command so if hostname is null, it gives the other field the value of 0?

Thanks,

Cooper

0 Karma
Reply

to4kawa
Ultra Champion
‎03-03-2020 01:12 PM 
your search
|stats avg(eval(if(isnull(hostname), null(), score))) as score_avg
0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎03-03-2020 10:02 AM

Without seeing your results, it would look something like this 

| eval hostname=if(isnull(score),0,'hostname')
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...