Check Error Status Using IsNull and If Functions

Validate error codes using isNull() for missing values and null() for error states

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1{Conditional} result{{Result Set}} repo --> 1 1 --> result
logscale
status := if(isNull(errorCode),
        then="OK",
        else=if(errorCode == 0,
        then="OK",
        else=null()))  // Explicit null for error states

Introduction

The isNull() function can be used to check for missing values in error status fields, working together with if() for conditional logic and null() for marking error states.

In this example, the isNull() function is used to check for missing error codes, while null() explicitly marks non-zero error states in a monitoring context.

Example incoming data might look like this:

@timestamperrorCodeserviceName
2025-10-15T10:00:00<no value>authentication
2025-10-15T10:00:010database
2025-10-15T10:00:02404api
2025-10-15T10:00:03<no value>cache
2025-10-15T10:00:04500api
2025-10-15T10:00:050authentication

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1{Conditional} result{{Result Set}} repo --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    status := if(isNull(errorCode),
        then="OK",
        else=if(errorCode == 0,
        then="OK",
        else=null()))  // Explicit null for error states

    Creates a new field named status using a combination of null checking and error validation:

    • The isNull() function first checks if errorCode is missing or undefined:

      • Returns OK for missing values, assuming no error reported means normal operation.

    • If errorCode exists, checks if it equals 0:

      • Returns OK for zero error codes, indicating successful operation.

      • Uses null() to mark any non-zero error codes as error states requiring investigation.

    The behavior is equivalent to this query with a case statement:

    logscale
    case { errorCode != *
| status := "OK"; errorCode = 0
| status := "OK"; *;
}

  3. Event Result set.

Summary and Results

The query is used to implement an error monitoring system that distinguishes between three states: missing error codes (OK), successful operations (error code 0), and error conditions (non-zero error codes).

This query is useful, for example, to monitor service health across different components where both missing status reports and zero error codes indicate normal operation, while any other error code requires attention.

Sample output from the incoming example data:

errorCodeserviceNamestatus
<no value>authentication<no value>
0databaseOK
404api<no value>
<no value>cache<no value>
500api<no value>
0authenticationOK

Note that the output clearly distinguishes between normal operations (OK) and error conditions (null), making it easy to identify and investigate service issues.