Table of contents
Usage: isnull(field) return true if field is null.
Argument type: all the supported data type.
Return type: BOOLEAN
Example:
od> source=accounts | eval result = isnull(employer) | fields result, employer, firstname
fetched rows / total rows = 4/4
+----------+------------+-------------+
| result | employer | firstname |
|----------+------------+-------------|
| False | Pyrami | Amber |
| False | Netagy | Hattie |
| False | Quility | Nanette |
| True | null | Dale |
+----------+------------+-------------+Usage: isnotnull(field) return true if field is not null.
Argument type: all the supported data type.
Return type: BOOLEAN
Example:
od> source=accounts | where not isnotnull(employer) | fields account_number, employer
fetched rows / total rows = 1/1
+------------------+------------+
| account_number | employer |
|------------------+------------|
| 18 | null |
+------------------+------------+Because Elasticsearch doesn't differentiate null and missing. so we can't provide function like ismissing/isnotmissing to test field exist or not. But you can still use isnull/isnotnull for such purpose.
Example, the account 13 doesn't have email field:
od> source=accounts | where isnull(email) | fields account_number, email
fetched rows / total rows = 1/1
+------------------+---------+
| account_number | email |
|------------------+---------|
| 13 | null |
+------------------+---------+Usage: ifnull(field1, field2) return field2 if field1 is null.
Argument type: all the supported data type, (NOTE : if two parameters has different type, you will fail semantic check.)
Return type: any
Example:
od> source=accounts | eval result = ifnull(employer, 'default') | fields result, employer, firstname
fetched rows / total rows = 4/4
+----------+------------+-------------+
| result | employer | firstname |
|----------+------------+-------------|
| Pyrami | Pyrami | Amber |
| Netagy | Netagy | Hattie |
| Quility | Quility | Nanette |
| default | null | Dale |
+----------+------------+-------------+Usage: nullif(field1, field2) return null if two parameters are same, otherwiser return field1.
Argument type: all the supported data type, (NOTE : if two parameters has different type, if two parameters has different type, you will fail semantic check)
Return type: any
Example:
od> source=accounts | eval result = nullif(employer, 'Pyrami') | fields result, employer, firstname
fetched rows / total rows = 4/4
+----------+------------+-------------+
| result | employer | firstname |
|----------+------------+-------------|
| null | Pyrami | Amber |
| Netagy | Netagy | Hattie |
| Quility | Quility | Nanette |
| null | null | Dale |
+----------+------------+-------------+Usage: isnull(field1, field2) return null if two parameters are same, otherwise return field1.
Argument type: all the supported data type
Return type: any
Example:
od> source=accounts | eval result = isnull(employer) | fields result, employer, firstname
fetched rows / total rows = 4/4
+----------+------------+-------------+
| result | employer | firstname |
|----------+------------+-------------|
| False | Pyrami | Amber |
| False | Netagy | Hattie |
| False | Quility | Nanette |
| True | null | Dale |
+----------+------------+-------------+Usage: if(condition, expr1, expr2) return expr1 if condition is true, otherwiser return expr2.
Argument type: all the supported data type, (NOTE : if expr1 and expr2 are different type, you will fail semantic check
Return type: any
Example:
od> source=accounts | eval result = if(true, firstname, lastname) | fields result, firstname, lastname
fetched rows / total rows = 4/4
+----------+-------------+------------+
| result | firstname | lastname |
|----------+-------------+------------|
| Amber | Amber | Duke |
| Hattie | Hattie | Bond |
| Nanette | Nanette | Bates |
| Dale | Dale | Adams |
+----------+-------------+------------+
od> source=accounts | eval result = if(false, firstname, lastname) | fields result, firstname, lastname
fetched rows / total rows = 4/4
+----------+-------------+------------+
| result | firstname | lastname |
|----------+-------------+------------|
| Duke | Amber | Duke |
| Bond | Hattie | Bond |
| Bates | Nanette | Bates |
| Adams | Dale | Adams |
+----------+-------------+------------+