https://community.splunk.com/t5/Splunk-Search/How-do-you-see-events-where-a-variable-s-value-is-null/m-p/427491#M122402 <P>I am trying to see the events that have null values for a variable called 'Issuer', but I can't seem to find a way to make this work.</P> <P>Here are examples of what I have tried:</P> <PRE><CODE>| where isnull(Issuer) | search Issuer!="*" | search Issuer!="A*" AND Issuer!="B*"... AND Issuer!="Z*" | search NOT Issuer=* </CODE></PRE> <P>Without any of these the variable is present in about 95% of the events, I know that from clicking on the field 'Issuer' on the left hand side of the search.</P> <P>All three of those lines return nothing when used on their own. </P> <P>One odd thing is that if I do this:</P> <PRE><CODE>| search Issuer!="I*" </CODE></PRE> <P>It will say that the variable is in every event, but if I try this:</P> <PRE><CODE>| search Issuer="I*" </CODE></PRE> <P>This also says the variable is in every event.</P> <P>I do not know why this is happening so if anyone has any suggestions as to how I should go about finding these null variables please let me know. Thank you.</P> Thu, 05 Jul 2018 18:38:20 GMT pjdwyer 2018-07-05T18:38:20Z https://community.splunk.com/t5/Splunk-Search/How-do-you-see-events-where-a-variable-s-value-is-null/m-p/427491#M122402 <P>I am trying to see the events that have null values for a variable called 'Issuer', but I can't seem to find a way to make this work.</P> <P>Here are examples of what I have tried:</P> <PRE><CODE>| where isnull(Issuer) | search Issuer!="*" | search Issuer!="A*" AND Issuer!="B*"... AND Issuer!="Z*" | search NOT Issuer=* </CODE></PRE> <P>Without any of these the variable is present in about 95% of the events, I know that from clicking on the field 'Issuer' on the left hand side of the search.</P> <P>All three of those lines return nothing when used on their own. </P> <P>One odd thing is that if I do this:</P> <PRE><CODE>| search Issuer!="I*" </CODE></PRE> <P>It will say that the variable is in every event, but if I try this:</P> <PRE><CODE>| search Issuer="I*" </CODE></PRE> <P>This also says the variable is in every event.</P> <P>I do not know why this is happening so if anyone has any suggestions as to how I should go about finding these null variables please let me know. Thank you.</P> Thu, 05 Jul 2018 18:38:20 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-see-events-where-a-variable-s-value-is-null/m-p/427491#M122402 pjdwyer 2018-07-05T18:38:20Z https://community.splunk.com/t5/Splunk-Search/How-do-you-see-events-where-a-variable-s-value-is-null/m-p/427492#M122403 <P>Does this work? <PRE>| search NOT Issuer=*</PRE></P> Thu, 05 Jul 2018 19:01:01 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-see-events-where-a-variable-s-value-is-null/m-p/427492#M122403 pradeepkumarg 2018-07-05T19:01:01Z https://community.splunk.com/t5/Splunk-Search/How-do-you-see-events-where-a-variable-s-value-is-null/m-p/427493#M122404 <P>No, I forgot to mention I tried that, sorry.</P> Thu, 05 Jul 2018 19:04:18 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-see-events-where-a-variable-s-value-is-null/m-p/427493#M122404 pjdwyer 2018-07-05T19:04:18Z https://community.splunk.com/t5/Splunk-Search/How-do-you-see-events-where-a-variable-s-value-is-null/m-p/427494#M122405 <PRE> | filnull value="NA" Issuer | search Issuer="NA" </PRE> Thu, 05 Jul 2018 19:13:35 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-see-events-where-a-variable-s-value-is-null/m-p/427494#M122405 pradeepkumarg 2018-07-05T19:13:35Z https://community.splunk.com/t5/Splunk-Search/How-do-you-see-events-where-a-variable-s-value-is-null/m-p/427495#M122406 <P>When you say null values, does your raw data have field values as literal <CODE>null</CODE> OR just blank? Give this a try</P> <PRE><CODE>your base search | regex Issuer!=".+" </CODE></PRE> Thu, 05 Jul 2018 19:18:59 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-see-events-where-a-variable-s-value-is-null/m-p/427495#M122406 somesoni2 2018-07-05T19:18:59Z https://community.splunk.com/t5/Splunk-Search/How-do-you-see-events-where-a-variable-s-value-is-null/m-p/427496#M122407 <P>That one was new, but it also returned nothing.<BR /> I'm beginning to think Splunk is not treating the values as though they are null, but I don't know how to figure out how it is treating them.</P> Thu, 05 Jul 2018 19:19:18 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-see-events-where-a-variable-s-value-is-null/m-p/427496#M122407 pjdwyer 2018-07-05T19:19:18Z https://community.splunk.com/t5/Splunk-Search/How-do-you-see-events-where-a-variable-s-value-is-null/m-p/427497#M122408 <P>I don't know what the raw data for the field is when Splunk does not collect a value. I believe it is just blank though. The search you recommended brought up nothing. Thank you though.</P> Thu, 05 Jul 2018 19:36:17 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-see-events-where-a-variable-s-value-is-null/m-p/427497#M122408 pjdwyer 2018-07-05T19:36:17Z https://community.splunk.com/t5/Splunk-Search/How-do-you-see-events-where-a-variable-s-value-is-null/m-p/427498#M122409 <P>The problem had something to do with the rex command. This was my rex command:<BR /> | rex field=_raw "Issuer=\"(?.+)\";File"</P> <P>Some of the variables around the Issuer variable just were not being caught, but when I changed it to this:<BR /> | rex field=_raw "Issuer=(?.+);File"</P> <P>Everything gets caught. I believe this is a bug because I can have the '\"' on either side, but not both. I also tried using '\S' on both sides and that also does not capture everything. It also is not an issue with the string being captured because looking at the stats I can see that the number of individual Issuers caught does not change, but the number each individual one appears gets lowered slightly. </P> Thu, 05 Jul 2018 19:55:53 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-see-events-where-a-variable-s-value-is-null/m-p/427498#M122409 pjdwyer 2018-07-05T19:55:53Z