https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-search-for-blank-null-fields-in-a-search/m-p/211090#M61729 <P>so if you wanted to search for two fields such as NULL and inuse would it be something like this: <BR /> NOT dv_install_status="*" OR dv_install_status="In use" ? </P> Tue, 29 Sep 2020 08:51:22 GMT hastrike 2020-09-29T08:51:22Z https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-search-for-blank-null-fields-in-a-search/m-p/211083#M61722 <P>Is there a best way to search for blank fields in a search? <CODE>isnull()</CODE> or <CODE>=""</CODE> doesn't seem to work. Is there way to do this? The only thing we have been able to do is do a f-llnull and then search for those fields we filled in those fields with a specific term.</P> Mon, 22 Feb 2016 19:04:37 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-search-for-blank-null-fields-in-a-search/m-p/211083#M61722 hastrike 2016-02-22T19:04:37Z https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-search-for-blank-null-fields-in-a-search/m-p/211084#M61723 <P>The isnull should work fine, if you're able to use <CODE>fillnull</CODE>. Could you post the search that you tried with <CODE>fillnull</CODE>?</P> Mon, 22 Feb 2016 19:20:41 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-search-for-blank-null-fields-in-a-search/m-p/211084#M61723 somesoni2 2016-02-22T19:20:41Z https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-search-for-blank-null-fields-in-a-search/m-p/211085#M61724 <P>I am actually asking on behalf of co-worker. We would like not have to fill in the blank space we just want to find all the fields where it is blank. IsNull didn't seem to be working. The only thing he seemed to be able to use is fillnull (| fillnull value="Blank" dv_install_status) then then search for the field where it said blank. Is there any way to search for blank fields with out doing fill null?</P> Tue, 29 Sep 2020 08:51:14 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-search-for-blank-null-fields-in-a-search/m-p/211085#M61724 hastrike 2020-09-29T08:51:14Z https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-search-for-blank-null-fields-in-a-search/m-p/211086#M61725 <P>If the fillnull is working, I would give this a try</P> <PRE><CODE>your base search | where isnull(dv_install_status) </CODE></PRE> Mon, 22 Feb 2016 19:32:39 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-search-for-blank-null-fields-in-a-search/m-p/211086#M61725 somesoni2 2016-02-22T19:32:39Z https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-search-for-blank-null-fields-in-a-search/m-p/211087#M61726 <P>so just checking is that searching field dv_install_status for any fields that is null? </P> Tue, 29 Sep 2020 08:51:17 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-search-for-blank-null-fields-in-a-search/m-p/211087#M61726 hastrike 2020-09-29T08:51:17Z https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-search-for-blank-null-fields-in-a-search/m-p/211088#M61727 <P>hi hastrike,</P> <P>use <CODE>NOT field="*"</CODE></P> <P>for more informations, follow this link:</P> <P><A href="https://answers.splunk.com/answers/28197/how-do-i-search-for-event-with-null-values-in-fields.html">https://answers.splunk.com/answers/28197/how-do-i-search-for-event-with-null-values-in-fields.html</A> </P> Mon, 22 Feb 2016 19:47:26 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-search-for-blank-null-fields-in-a-search/m-p/211088#M61727 gyslainlatsa 2016-02-22T19:47:26Z https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-search-for-blank-null-fields-in-a-search/m-p/211089#M61728 <P>It's just selecting events where dv_install_status is null.</P> Tue, 29 Sep 2020 08:51:20 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-search-for-blank-null-fields-in-a-search/m-p/211089#M61728 somesoni2 2020-09-29T08:51:20Z https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-search-for-blank-null-fields-in-a-search/m-p/211090#M61729 <P>so if you wanted to search for two fields such as NULL and inuse would it be something like this: <BR /> NOT dv_install_status="*" OR dv_install_status="In use" ? </P> Tue, 29 Sep 2020 08:51:22 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-search-for-blank-null-fields-in-a-search/m-p/211090#M61729 hastrike 2020-09-29T08:51:22Z https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-search-for-blank-null-fields-in-a-search/m-p/211091#M61730 <P><CODE>"In use"</CODE> is a value of <CODE>*</CODE></P> <P>just write <CODE>NOT dv_install_status="*"</CODE></P> Mon, 22 Feb 2016 20:05:08 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-search-for-blank-null-fields-in-a-search/m-p/211091#M61730 gyslainlatsa 2016-02-22T20:05:08Z https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-search-for-blank-null-fields-in-a-search/m-p/211092#M61731 <P>We just want to find all the fields with In use as the event or if the field is null. Won't this find any event with the * since that is thee wild card? </P> Mon, 22 Feb 2016 20:10:17 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-search-for-blank-null-fields-in-a-search/m-p/211092#M61731 hastrike 2016-02-22T20:10:17Z https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-search-for-blank-null-fields-in-a-search/m-p/211093#M61732 <P>NOT dv_install status = "*" will find all the events wherethe value of the field dv_install_status is empty or zero.</P> <P>try and see the results because I have already used this option </P> Tue, 29 Sep 2020 08:51:25 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-search-for-blank-null-fields-in-a-search/m-p/211093#M61732 gyslainlatsa 2020-09-29T08:51:25Z https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-search-for-blank-null-fields-in-a-search/m-p/211094#M61733 <P>thanks, don't forget to vote</P> Mon, 22 Feb 2016 20:41:58 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-search-for-blank-null-fields-in-a-search/m-p/211094#M61733 gyslainlatsa 2016-02-22T20:41:58Z https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-search-for-blank-null-fields-in-a-search/m-p/211095#M61734 <P>Old question, but isnull does work for me. These two searches are equivalent:</P> <PRE><CODE>index=cers A_Number=04* | where isnull(MoLiIn) index=cers A_Number=04* NOT MoLiIn=* </CODE></PRE> Thu, 05 Apr 2018 07:09:38 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-search-for-blank-null-fields-in-a-search/m-p/211095#M61734 nigel_pearson_a 2018-04-05T07:09:38Z https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-search-for-blank-null-fields-in-a-search/m-p/211096#M61735 <P>To expand on this, since I recently ran into the very same issue. If you have a search time field extraction and an event that <EM>should</EM> contain the field but doesn't, you can't do a search for <CODE>fieldname=""</CODE> because the field doesn't get extracted if it's not there.</P> <P>But if you search for events that <EM>should</EM> contain the field and want to specifically find events that don't have the field set, the following worked for me (the index/sourcetype combo should always have fieldname set in my case):</P> <PRE><CODE>index=myindex sourcetype=mysourcetype NOT fieldname=* </CODE></PRE> <P>All of which is a long way of saying make sure you include search criteria that should always find events with that field set.</P> Tue, 14 May 2019 12:45:18 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-best-way-to-search-for-blank-null-fields-in-a-search/m-p/211096#M61735 ehennessey_splu 2019-05-14T12:45:18Z