Splunk's coalesce function treats empty fields as non-null. Learn to use Splunk macros to convert empty strings to nulls for accurate data selection and reliable detections.

Duane Waddle

Source: cisco
Source Link: https://blogs.cisco.com/security/splunk-fix-empty-coalesce/