topic Re: How can I find events having NULL value related to a field? in Splunk Search

How can I find events having NULL value related to a field?

sbhatnagar88 — Fri, 01 Mar 2019 08:58:07 GMT

Hi,

I am trying to find all the events related to a field where value is NULL.

For E.g., say a field has multiple values like:

abc
def
mno
         -- This is NULL value
xyz
           -- This is NULL value
pqr.

I am trying to search via the below query, but that's not working.
Here parent_incident is field name, which contains multiple values including NULL, and I need data related to NULL values only.

index=main sourcetype=snow:incident endpoint="https://server.service-now.com/" NOT parent_incident=*

Any help would be appreciable.

Thanks

Re: How can I find events having NULL value related to a field?

vnravikumar — Fri, 01 Mar 2019 09:04:08 GMT

Hi @sbhatnagar88

Try like

index=main sourcetype=snow:incident endpoint="https://server.service-now.com/" | where isnull(parent_incident)

Re: How can I find events having NULL value related to a field?

sbhatnagar88 — Tue, 29 Sep 2020 23:31:58 GMT

Hi @ vnravikumar,

i already have where condition to filter out the month so I am putting your response like this but it doesn't seems to be working.

index=main sourcetype=snow:incident endpoint="https://server.service-now.com/"
| where strftime(_time,"%B %Y")="February 2019" AND isnull(parent_incident)

Thanks

Re: How can I find events having NULL value related to a field?

vnravikumar — Fri, 01 Mar 2019 09:30:17 GMT

What is the response you are getting?

Re: How can I find events having NULL value related to a field?

vnravikumar — Fri, 01 Mar 2019 09:32:06 GMT

It has to work

| makeresults 
| eval test= null(),test1="sample" 
| where strftime(_time,"%B %Y")="March 2019" AND isnull(test)

Re: How can I find events having NULL value related to a field?

sbhatnagar88 — Fri, 01 Mar 2019 09:47:42 GMT

no data coming up with this condition ...

Re: How can I find events having NULL value related to a field?

vnravikumar — Fri, 01 Mar 2019 09:50:58 GMT

Please confirm whether you have data for February month and time range what you had selected

Re: How can I find events having NULL value related to a field?

sbhatnagar88 — Tue, 29 Sep 2020 23:32:01 GMT

yes, we have because when I remove isnull(parent_incident) condition, it shows me data and parent_incident has NULL value as well..

Re: How can I find events having NULL value related to a field?

vnravikumar — Tue, 29 Sep 2020 23:28:04 GMT

Please confirm whether parent_incident contains null values by removing strftime(_time,"%B %Y")="February 2019" in your search

Also, try

index=main sourcetype=snow:incident endpoint="https://server.service-now.com/"
| where strftime(_time,"%B %Y")="February 2019" AND parent_incident=""

Re: How can I find events having NULL value related to a field?

sbhatnagar88 — Tue, 29 Sep 2020 23:32:09 GMT

Hi,
below one worked .. i tried all these yesterday but they didn't work for me because I gave space between double quotes. without spaces it showed me data related to NULL values

index=main sourcetype=snow:incident endpoint="https://server.service-now.com/"
| where strftime(_time,"%B %Y")="February 2019" AND parent_incident=""

Thanks Much!!

Re: How can I find events having NULL value related to a field?

vnravikumar — Fri, 01 Mar 2019 11:14:44 GMT

Good to hear. Please accept the answer.