https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-that-have-null-values-for-a-field/m-p/167280#M47630 <P>The key difference to my question is the fact that <CODE>request</CODE> points to a nested object.</P> <P>For simple fields whose values are literal values (string, boolean, int), any of the following would solve the simple case to find events where a top-level field, <CODE>testField</CODE> is null:</P> <P><CODE>app="my_app" NOT testField="*"</CODE><BR /> <CODE>app="my_app" | where isnull(testField)</CODE></P> <P>However, as my original post explained, I am trying to test for all events where <CODE>request</CODE> is not present, where <CODE>request</CODE> normally pointed to an object, not a literal value.</P> <P>If I query either:</P> <P><CODE>app="my_app" NOT request="*"</CODE><BR /> <CODE>app="my_app" | where isnull(request)</CODE></P> <P>It returns all events, effectively treating an object value in <CODE>request</CODE> as equivalent to NULL. HOWEVER, if I query specifically on a field I know to always be non-null inside the <CODE>request</CODE> object, e.g. <CODE>request.method</CODE>, I can get what I wanted:</P> <P><CODE>app="my_app" NOT request.method="*"</CODE><BR /> <CODE>app="my_app" | where isnull('request.method')</CODE></P> <P>NOTE THE SINGLE QUOTES in the <CODE>isnull</CODE> call. Inside where/eval statements, splunk does not handle complex field names, well, and requires you wrap them in SINGLE quotes. </P> <P>Hopefully this answer makes sense and is helpful. </P> Mon, 20 Oct 2014 22:31:45 GMT abelnation 2014-10-20T22:31:45Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-that-have-null-values-for-a-field/m-p/167279#M47629 <P>I have json log lines that sometimes contain a <CODE>request</CODE> object of the form</P> <P><CODE>{<BR /> timestamp: ts_val,<BR /> app: "my_app",<BR /> request: {<BR /> method: "GET",<BR /> status: 200,<BR /> }<BR /> }<BR /> </CODE></P> <P>I am trying to query for events that do not have the <CODE>request</CODE> value using <CODE>isnull</CODE>/<CODE>isnotnull</CODE>, but it doesn't have the expected effect;</P> <P><CODE>app="my_app" | where isnull(request)</CODE></P> <P>Still returns the full set of events. Can someone clarify what splunk actually treats as NULL? I've seen some weird behavior with nested fields. Are there links to documentation of those conditions?</P> <P>Thanks!</P> <HR /> <P>I have also tried:</P> <P><CODE>app="my_app" request=*</CODE></P> Mon, 08 Jun 2020 19:32:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-that-have-null-values-for-a-field/m-p/167279#M47629 abelnation 2020-06-08T19:32:52Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-that-have-null-values-for-a-field/m-p/167280#M47630 <P>The key difference to my question is the fact that <CODE>request</CODE> points to a nested object.</P> <P>For simple fields whose values are literal values (string, boolean, int), any of the following would solve the simple case to find events where a top-level field, <CODE>testField</CODE> is null:</P> <P><CODE>app="my_app" NOT testField="*"</CODE><BR /> <CODE>app="my_app" | where isnull(testField)</CODE></P> <P>However, as my original post explained, I am trying to test for all events where <CODE>request</CODE> is not present, where <CODE>request</CODE> normally pointed to an object, not a literal value.</P> <P>If I query either:</P> <P><CODE>app="my_app" NOT request="*"</CODE><BR /> <CODE>app="my_app" | where isnull(request)</CODE></P> <P>It returns all events, effectively treating an object value in <CODE>request</CODE> as equivalent to NULL. HOWEVER, if I query specifically on a field I know to always be non-null inside the <CODE>request</CODE> object, e.g. <CODE>request.method</CODE>, I can get what I wanted:</P> <P><CODE>app="my_app" NOT request.method="*"</CODE><BR /> <CODE>app="my_app" | where isnull('request.method')</CODE></P> <P>NOTE THE SINGLE QUOTES in the <CODE>isnull</CODE> call. Inside where/eval statements, splunk does not handle complex field names, well, and requires you wrap them in SINGLE quotes. </P> <P>Hopefully this answer makes sense and is helpful. </P> Mon, 20 Oct 2014 22:31:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-that-have-null-values-for-a-field/m-p/167280#M47630 abelnation 2014-10-20T22:31:45Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-that-have-null-values-for-a-field/m-p/167281#M47631 <P>Damn, those single quotes got me...</P> Fri, 29 May 2020 13:06:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-that-have-null-values-for-a-field/m-p/167281#M47631 opsbbgl 2020-05-29T13:06:10Z