topic Re: How can I search for a missing field? in Splunk Search

How can I search for a missing field?

hulahoop — Wed, 03 Feb 2010 10:22:08 GMT

Let's say I have events A and B:

A -- Feb 1 2010 10:10:00 field1=foo field2=bar
B -- Feb 1 2010 10:10:01 field1=foo

How can I find all events where field2 is missing (essentially event B in this tiny example)?

Re: How can I search for a missing field?

hulahoop — Wed, 03 Feb 2010 10:23:50 GMT

Ok, so I tried a few things, and this is what ended up working:

NOT field2=*

It would be more intuitive if this worked also:

field2=""

Re: How can I search for a missing field?

gkanapathy — Wed, 03 Feb 2010 12:49:21 GMT

field2="" means something very different. It means that field2 exists, but has an empty string value.

Re: How can I search for a missing field?

gkanapathy — Wed, 03 Feb 2010 12:58:10 GMT

Note that using

field2!=*

will not work either. This will never return any events, as it will always be false. This means that field2!=* and NOT field2=* are not entirely equivalent. In particular, in the case where field2 doesn't exist, the former is false, while the latter is true.

Re: How can I search for a missing field?

hulahoop — Wed, 03 Feb 2010 14:00:00 GMT

It seems like they are logically equivalent, but Splunk does not treat them so. Is that a fair statement?

Re: How can I search for a missing field?

gkanapathy — Wed, 03 Feb 2010 14:43:11 GMT

No they are not logically equivalent. There is a difference between being empty, and not existing.

Re: How can I search for a missing field?

gkanapathy — Wed, 03 Feb 2010 14:45:08 GMT

Well, I guess it depends what you mean by "logically equivalent", but there is a difference in meaning regardless of how Splunk treats them.

Re: How can I search for a missing field?

dinh — Thu, 04 Feb 2010 02:01:54 GMT

You can do this on your search:

| where isnull(field2)

Re: How can I search for a missing field?

hulahoop — Thu, 04 Feb 2010 02:02:27 GMT

yes, but in splunk land, would a field ever exist and be empty?

Re: How can I search for a missing field?

jrodman — Thu, 04 Feb 2010 02:29:47 GMT

It's a valid state of a field.
You can get there with regex extractions.

Do you mean that this is an undesirable thing?

Re: How can I search for a missing field?

hulahoop — Thu, 04 Feb 2010 13:12:18 GMT

hey k8to, i'm just wondering if it can actually happen, and if splunk would behave consistently.

Re: How can I search for a missing field?

gkanapathy — Tue, 31 Aug 2010 12:59:05 GMT

Yes, it can happen.

Re: How can I search for a missing field?

otman01 — Thu, 12 Mar 2015 15:31:40 GMT

it works thank you all , have a nice day

Re: How can I search for a missing field?

support0 — Tue, 01 Sep 2015 13:46:34 GMT

fillnull field2 | search field2=0

Re: How can I search for a missing field?

leonjxtan — Mon, 12 Jun 2017 10:18:06 GMT

the first code works; the second code doesn't.

Re: How can I search for a missing field?

lmoceze — Tue, 26 Nov 2024 09:16:18 GMT

Thats the answer, thanks!