https://community.splunk.com/t5/Splunk-Search/Filtering-NULL-values-from-multivalue-field/m-p/491813#M137258 <P>"NULL" is not <CODE>NULL</CODE>. The former is a value consisting of a string of four characters whereas the latter is the absence of a value. The <CODE>isnotnull</CODE> function tests if the field has a value so, since all of your example values are not <CODE>NULL</CODE>, will return all values.</P> Wed, 06 May 2020 14:03:14 GMT richgalloway 2020-05-06T14:03:14Z https://community.splunk.com/t5/Splunk-Search/Filtering-NULL-values-from-multivalue-field/m-p/491812#M137257 <P>I have a transaction with <CODE>mvlist</CODE> set to true which results in a table where a number of fields display multiple NULL values:</P> <PRE><CODE>Col1 Col2 Col3 12345 NULL 1111 NULL XYZ 2222 NULL NULL 3333 </CODE></PRE> <P>Note: this is all 1 row</P> <P>I would like it filtered to the following:</P> <PRE><CODE>Col1 Col2 Col3 12345 XYZ 1111 2222 3333 </CODE></PRE> <P>In splunk docs I read that <CODE>mvfilter</CODE> in combination with <CODE>isnotnull</CODE> or <CODE>!isnull</CODE> functions can be used when you want to return only values that are not NULL from a multivalue field. Neither of these appear to work for me:</P> <PRE><CODE>y=mvfilter(isnotnull(x)) y=mvfilter(!isnull(x)) </CODE></PRE> <P>While this does:</P> <PRE><CODE>y=mvfilter(x!="NULL")) </CODE></PRE> <P>Any ideas on why the former doesn't work? Are there any performance differences between each method?</P> Wed, 06 May 2020 13:39:15 GMT https://community.splunk.com/t5/Splunk-Search/Filtering-NULL-values-from-multivalue-field/m-p/491812#M137257 dfraseman 2020-05-06T13:39:15Z https://community.splunk.com/t5/Splunk-Search/Filtering-NULL-values-from-multivalue-field/m-p/491813#M137258 <P>"NULL" is not <CODE>NULL</CODE>. The former is a value consisting of a string of four characters whereas the latter is the absence of a value. The <CODE>isnotnull</CODE> function tests if the field has a value so, since all of your example values are not <CODE>NULL</CODE>, will return all values.</P> Wed, 06 May 2020 14:03:14 GMT https://community.splunk.com/t5/Splunk-Search/Filtering-NULL-values-from-multivalue-field/m-p/491813#M137258 richgalloway 2020-05-06T14:03:14Z https://community.splunk.com/t5/Splunk-Search/Filtering-NULL-values-from-multivalue-field/m-p/491814#M137259 <P>My guess would be that the transaction with mvlist=true does not return <CODE>NULL</CODE> as a value but rather "NULL" as a string. You can easily test the assumption by trying len(x). If it returns 4, then the transaction has written the word "NULL" into the result. If len(x) gives you nothing or 0, then it's the <CODE>NULL</CODE> value itself. From what you've observed, I think, it's the first.</P> Wed, 06 May 2020 14:07:08 GMT https://community.splunk.com/t5/Splunk-Search/Filtering-NULL-values-from-multivalue-field/m-p/491814#M137259 ololdach 2020-05-06T14:07:08Z https://community.splunk.com/t5/Splunk-Search/Filtering-NULL-values-from-multivalue-field/m-p/491815#M137260 <P>Your assumption is correct. len(x) returns 4 for the NULL occurrences. Thanks a lot!</P> Wed, 06 May 2020 14:26:42 GMT https://community.splunk.com/t5/Splunk-Search/Filtering-NULL-values-from-multivalue-field/m-p/491815#M137260 dfraseman 2020-05-06T14:26:42Z https://community.splunk.com/t5/Splunk-Search/Filtering-NULL-values-from-multivalue-field/m-p/547492#M155256 <P>Say eg I have Category field with NULL value so simply use below code,</P><P>Category!=NULL</P> Sat, 10 Apr 2021 09:34:07 GMT https://community.splunk.com/t5/Splunk-Search/Filtering-NULL-values-from-multivalue-field/m-p/547492#M155256 technocrat007 2021-04-10T09:34:07Z