USAGE OF SPLUNK EVAL FUNCTION : COALESCE

USAGE OF SPLUNK EVAL FUNCTION : COALESCE

Coalesce is an eval function (Use the eval function to evaluate an expression, based on our events ). This function takes an arbitrary number of arguments and returns the first value that is not NULL.

We can use this function with the eval command and as a part of eval expressions.

Syntax :

| eval <field_name>=coalesce(<field1>,<field2>,……..)

Example :

index="abc" sourcetype="abc"
| table Message1,Message2
| eval Message=coalesce(Message1,Message2)
| dedup Message

Result :

coalesce1 (1)

Explanation :

  • In the above query “abc” is the index and sourcetype name is “abc”.
  • Using table command, we have taken two fields called Message1 and Message2.
  • Then using eval command we create a new field called Message. With eval command we use one function coalesce. Using coalesce function we got one new field Message with value of Message1 and Message2.

Message1 field contain some value and Message2 field contain some value. Coalesce function return the value of that field which is  first not null field. In the Message field the first 4 rows from the top we are getting the value for the Message1 field because the Message1 field is not-null. But in the last row we are getting the data for the Message2 field because in the last row Message1 field is null. This function is also used for the data-normalization process.

You can also know about :  Usage of Splunk EVAL Function : MVCOUNT

Now you can effectively utilize “coalesce” function with “eval” command to meet your requirement !!

Hope you are now comfortable in : Usage of Splunk EVAL Function : COALESCE

HAPPY SPLUNKING !!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.