Generate Null Values in Expressions

Handle invalid data conditions using the null() function

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1{Conditional} result{{Result Set}} repo --> 1 1 --> result
logscale
bar := if(foo < 0,
        then = null(),
        else = math:sqrt(foo))

Introduction

The null() function can be used to explicitly yield null values in expressions, which is particularly useful for handling invalid or undefined data conditions.

In this example, the null() function is used in combination with if() to handle invalid data conditions by explicitly yielding null values in expressions, unless specific criteria are met.

Example incoming data might look like this:

@timestampfoo
2025-10-15T10:00:00-5
2025-10-15T10:00:0116
2025-10-15T10:00:024
2025-10-15T10:00:03-2
2025-10-15T10:00:049
2025-10-15T10:00:050

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1{Conditional} result{{Result Set}} repo --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    bar := if(foo < 0,
        then = null(),
        else = math:sqrt(foo))

    Creates a new field named bar using the if() function. When foo is less than 0, the null() function explicitly yields a null value to handle the invalid input case. For non-negative values, it calculates the square root using math:sqrt().

    The null() function returns the null value. The null value is also what you get if you read a field which is not there, or if a computation fails (for instance "a" + 1). This makes it clear in the output that these values were intentionally set to null due to not meeting the valid input criteria.

    Note that the assignment operator := does nothing if the expression's result is null.

  3. Event Result set.

Summary and Results

The query is used to demonstrate proper data handling by explicitly marking invalid inputs with null values while processing valid inputs normally.

This query is useful, for example, to maintain data quality by clearly distinguishing between invalid inputs and valid calculations, rather than silently failing or producing error values.

Sample output from the incoming example data:

barfoo
&lt;no value&gt;-5
416
24
&lt;no value&gt;-2
39
00

Note that the output of the null() function is the same kind of "no value" that you get if you read a field which is not present in a given event.

Note how the assignment operator := does nothing if the expression's result is null.