Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Coalesce Fields With Values Excluding Nulls

ixixix_spl
Explorer
‎07-24-2018 04:22 PM

I know you can coalesce multiple columns to merge them into one. However, I am currently coalescing around 8 fields, some of which have null values. Because the last field I am including is sparse (only appears in 3% of the logs), I have found that the coalesced field returns as mostly null (matching the last coalesced field). A demonstration of what I'd like to do is below (A_col is first to coalesce then B_col to make C_col and B_col overwrites A_col if the value in B_col is not null).

Here is the query format I am using
... | eval name = coalesce(entityName, individualName) | ... 

    A demonstration of what I'd like to do (C is a coalesced field of A and B):
    A_col .    B_col .    C_col
    A             Null .      A
    Null .      B .           B
   A .            B .          B
0 Karma
Reply

somesoni2
Revered Legend
‎07-25-2018 11:34 AM

The Null on your output is actual Splunk's null/blank value or a literal "Null" string? Assuming it's former, specify the 2nd column first in the coalesce command.

| eval C_col=coalesce(B_col, A_col)

That way if B_col is available that will be used, else A_col will be used.

0 Karma
Reply

ixixix_spl
Explorer
‎07-25-2018 03:34 PM

@somesoni2 No it means that that log file doesn't have that field. For, example the field transaction_id may be a non-nested key or it could be something like payload.response.transaction_id which is nested. I basically want to melt that into one column, but am having problems with null overwriting the current value. You suggested that I order the columns in increasing sparseness? (i.e. coalesce(4% sparse,20% sparse, 80% sparse))

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎07-25-2018 11:18 AM

Do you have control of the field extractions? If so, why not change the extractions in order to ignore the nulls?

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply

ghantk1
Explorer
‎07-24-2018 05:39 PM

I believe this should work
| eval C_col =coalesce(A_col, B_col, C_col)

0 Karma
Reply

ixixix_spl
Explorer
‎07-25-2018 09:27 AM

@ghantk1 Didn't do it for me, null values are still overwriting if in the last column I am coalescing on ( | eval C_col =coalesce(A_col, B_col, C_col) command makes B_col nulls overwrite A_col non-null values)

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...