documentation of splunk "ifnull" function?

Question

We're using the ifnull function in one of our Splunk queries (yes, ifnull not isnull), and I wanted to look up the logic just to be sure, but I can't find it documented anywhere.

It is referenced in a few spots:

But I can't find a definition/explanation anywhere on what it actually does. Google seems to be of no help either (constantly wants to redirect me to isnull).

In particular it's also not listed in "common evaluation functions".

Can anyone point me to some documentation about ifnull?

score 6 · Accepted Answer · answered May 02 '17 at 08:06

6

TL;DR; it's an alias for coalesce

Wow, it really is hidden! I managed to find it on my local instance here: ./etc/system/default/searchbnf.conf

example4 = coalesce(null(), "Returned value", null())
comment4 = Takes any number of arguments and returns the first value that is not null. The ifnull function does the exact same thing, so both names are acceptable.

answered May 02 '17 at 08:06

Peter McIntyre

122
1
9

Thanks for digging into it! – mac May 03 '17 at 06:31

documentation of splunk "ifnull" function?

1 Answers1