https://community.splunk.com/t5/Splunk-Search/query-to-check-is-a-list-is-or-has-values-in-it/m-p/386129#M112729 <P>@wajeeh911 </P> <P>In this case I suggest you to take benefit of any child field of <CODE>failureRadar</CODE>. Like, in my below sample example I have took <CODE>A</CODE> as child field of <CODE>failureRadar</CODE>. After renaming this field we can use it with <CODE>where isnull(</CODE> ( As @niketnilay said) to get <CODE>failureRadar</CODE> empty events. Please check my below <STRONG>Sample Search</STRONG>.</P> <P><STRONG>Events used:</STRONG></P> <P><CODE>{ "other_keys":"HI", "failureRadar":[]}</CODE></P> <P><CODE>{ "other_keys":"HI", "failureRadar":[{"A":"B"}]}</CODE></P> <P><STRONG>Sample Search:</STRONG></P> <PRE><CODE>| makeresults | eval _raw="{ \"other_keys\":\"HI\", \"failureRadar\":[]}" | append [ | makeresults | eval _raw="{ \"other_keys\":\"HI\", \"failureRadar\":[{\"A\":\"B\"}]}" ] | kv |rename failureRadar{}.A as myFlag | where isnull(myFlag) </CODE></PRE> <P>Can you please try below search ?</P> <PRE><CODE>YOUR_SEARCH |rename failureRadar{}.A as myFlag | where isnull(myFlag) </CODE></PRE> <P><STRONG>Note:</STRONG> <CODE>A</CODE> is my child field of <CODE>failureRadar</CODE>. replace it with your original fields.</P> <P>Try and let us know if any challenges. Please share some sample events for us to further assistance. </P> <P>Thanks</P> Fri, 12 Jul 2019 05:32:59 GMT kamlesh_vaghela 2019-07-12T05:32:59Z https://community.splunk.com/t5/Splunk-Search/query-to-check-is-a-list-is-or-has-values-in-it/m-p/386124#M112724 <P>I'm having trouble querying the field attached in the image. I either want to know is its empty or has values in it. Does anyone know the proper syntax?</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7320i67F1AF5745738BF7/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Thu, 11 Jul 2019 22:36:48 GMT https://community.splunk.com/t5/Splunk-Search/query-to-check-is-a-list-is-or-has-values-in-it/m-p/386124#M112724 wajeeh911 2019-07-11T22:36:48Z https://community.splunk.com/t5/Splunk-Search/query-to-check-is-a-list-is-or-has-values-in-it/m-p/386125#M112725 <P>can you just table the field and post the results so we can see what is there currently?</P> <P><CODE>| table failureRadar</CODE></P> Thu, 11 Jul 2019 22:54:11 GMT https://community.splunk.com/t5/Splunk-Search/query-to-check-is-a-list-is-or-has-values-in-it/m-p/386125#M112725 marycordova 2019-07-11T22:54:11Z https://community.splunk.com/t5/Splunk-Search/query-to-check-is-a-list-is-or-has-values-in-it/m-p/386126#M112726 <P>@marycordova I'm not looking to table the results, I'm trying to query results only when the list is empty.</P> Fri, 12 Jul 2019 04:25:16 GMT https://community.splunk.com/t5/Splunk-Search/query-to-check-is-a-list-is-or-has-values-in-it/m-p/386126#M112726 wajeeh911 2019-07-12T04:25:16Z https://community.splunk.com/t5/Splunk-Search/query-to-check-is-a-list-is-or-has-values-in-it/m-p/386127#M112727 <P>@wajeeh911 what is your current query? Can you post sample JSON (raw) for the two scenarios?<BR /> Have you tried the following filter?</P> <PRE><CODE>| where isnull(failureRadar) </CODE></PRE> Fri, 12 Jul 2019 04:45:23 GMT https://community.splunk.com/t5/Splunk-Search/query-to-check-is-a-list-is-or-has-values-in-it/m-p/386127#M112727 niketn 2019-07-12T04:45:23Z https://community.splunk.com/t5/Splunk-Search/query-to-check-is-a-list-is-or-has-values-in-it/m-p/386128#M112728 <P>Right but a table will let me see what your data looks like so I can help you</P> Fri, 12 Jul 2019 05:03:10 GMT https://community.splunk.com/t5/Splunk-Search/query-to-check-is-a-list-is-or-has-values-in-it/m-p/386128#M112728 marycordova 2019-07-12T05:03:10Z https://community.splunk.com/t5/Splunk-Search/query-to-check-is-a-list-is-or-has-values-in-it/m-p/386129#M112729 <P>@wajeeh911 </P> <P>In this case I suggest you to take benefit of any child field of <CODE>failureRadar</CODE>. Like, in my below sample example I have took <CODE>A</CODE> as child field of <CODE>failureRadar</CODE>. After renaming this field we can use it with <CODE>where isnull(</CODE> ( As @niketnilay said) to get <CODE>failureRadar</CODE> empty events. Please check my below <STRONG>Sample Search</STRONG>.</P> <P><STRONG>Events used:</STRONG></P> <P><CODE>{ "other_keys":"HI", "failureRadar":[]}</CODE></P> <P><CODE>{ "other_keys":"HI", "failureRadar":[{"A":"B"}]}</CODE></P> <P><STRONG>Sample Search:</STRONG></P> <PRE><CODE>| makeresults | eval _raw="{ \"other_keys\":\"HI\", \"failureRadar\":[]}" | append [ | makeresults | eval _raw="{ \"other_keys\":\"HI\", \"failureRadar\":[{\"A\":\"B\"}]}" ] | kv |rename failureRadar{}.A as myFlag | where isnull(myFlag) </CODE></PRE> <P>Can you please try below search ?</P> <PRE><CODE>YOUR_SEARCH |rename failureRadar{}.A as myFlag | where isnull(myFlag) </CODE></PRE> <P><STRONG>Note:</STRONG> <CODE>A</CODE> is my child field of <CODE>failureRadar</CODE>. replace it with your original fields.</P> <P>Try and let us know if any challenges. Please share some sample events for us to further assistance. </P> <P>Thanks</P> Fri, 12 Jul 2019 05:32:59 GMT https://community.splunk.com/t5/Splunk-Search/query-to-check-is-a-list-is-or-has-values-in-it/m-p/386129#M112729 kamlesh_vaghela 2019-07-12T05:32:59Z