topic Re: How do I search for event with null values in fields in Splunk Search

How do I search for event with null values in fields

JChodagam — Wed, 27 Jul 2011 23:07:43 GMT

I'm trying to find all events in the logs that have no value in a field. What's the simplest query for that?

Re: How do I search for event with null values in fields

JChodagam — Wed, 27 Jul 2011 23:12:55 GMT

For instance, all events with NULL TicketId can be retrieved by -

sourcetype=mysql_config NOT TicketId="*"

Re: How do I search for event with null values in fields

sbsbb — Thu, 25 Apr 2013 07:33:22 GMT

Is there another way, to search null without "NOT" ?
I user Sideview and Pulldowns with "+OR+" Separator... so the output from the pulldown for the underlying search is key="value OR value" I can't use NOT there...

Re: How do I search for event with null values in fields

JoeSco27 — Fri, 06 Sep 2013 18:51:16 GMT

for example if you don't want "value OR value" you can use:
key!="value OR value" , the explanation point "bang" does the same function as the NOT

Re: How do I search for event with null values in fields

siraj198204 — Mon, 28 Sep 2020 17:54:27 GMT

Hi ,

index =casm_prod source =/opt/siteminder/log/smtracedefault.log sourcetype=smtrace supportcentral | rex "([[^]]]){10}[(?P[^]])]" |dedup sso_id | lookup identity_lookup sso as sso_id OUTPUT sso as matched_sso |where matched_sso!="NonNbcAccount"

This is working good ,

output ,

›

10/17/14
12:04:48.549 PM
example 1

[10/17/2014][09:04:48.549][1041173424][s1206273/r789][Supportcentral Internal][][][][][][127004108][][][][][][supportcentralalpcispweb536vprd][** Status: Authorized. ][]
host =useclpapl894.nbcuni.ge.com
matched_sso =127004108
source =/opt/siteminder/log/smtracedefault.log
sourcetype =smtrace
sso_id =127004108

example 1 is correct ..

›

10/17/14
12:04:48.547 PM

example 2 ,

[10/17/2014][09:04:48.547][1041173424][][][SupportCentral allow access][NBCU SC_Lib_Allow_Policy][][][][][][][][][][][Policy is applicable. Rule is applicable. Get Responses.][]
host =useclpapl894.nbcuni.ge.com
matched_sso ="NonNbcAccount"
source =/opt/siteminder/log/smtracedefault.log
sourcetype =smtrace
sso_id =

in example 2 is having null value , the 11th field is null [] ... but it is returning that value also ...

actually i dont want null value ..

Re: How do I search for event with null values in fields

siraj198204 — Fri, 17 Oct 2014 17:10:24 GMT

Hi,

i added | where len(sso_id)>0 this search with the above search ...

it is looks good ... working very good ...

Thank u ...

Re: How do I search for event with null values in fields

Kwip — Tue, 19 Dec 2017 17:20:14 GMT

I downvoted this post because by mistake