All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to grab all the nulls from indexes?

AL3Z
Builder
‎01-24-2023 02:38 AM

Hi,

Could you provide me with the search query for one of my index es_splunk ,so that we can find all the null fields, regex case sensitive so it's only catching "null", all lower case, but they may ALL be that way anyway. Just mentioning for completeness... as well as there could be fields that are not "null" but simply an empty string. Those two cases should be checked if we want 100% coverage.

 

Thanks.

 

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-24-2023 03:54 AM

As others already said what do you mean by "null fields"?

If you mean that you need all fields which contain literal "null" string, that's quite easy

index=myindex null

 If you mean that all possible extractions which are not actually extracted from given events... well, that's kinda impossible. Since most extraction work is done in search-time you don't know beforehand what fields you are supposed to have in the events. Only if a field matches a certain regex a given fields are extracted so you don't have a pre-defined set of fields which should be extracted from events for comparison with the values really extracted.

Reply

scelikok
SplunkTrust
SplunkTrust
‎01-24-2023 03:15 AM

Hi @AL3Z,

@ITWhisperer 's solution should help you. If not below query provides us some samples,

index=es_splunk | head 10

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-24-2023 03:09 AM

Are you looking for all events where any field no value (is null), or any field has the text "null" in any combination of case, or has any field has an empty string? You could try something like this

index=es_splunk
| eval _flag=0
| foreach *
  [| eval _flag=if(isnull('<<FIELD>>') OR match('<<FIELD>>',"(?i)null") OR '<<FIELD>>'=="", 1, _flag)]
| where _flag != 0

 Having said that, is that really what you want to do? 😀

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-24-2023 02:58 AM

Hi @AL3Z,

Could you please share some samples?

You can make regex with case insensitive option but I need to see sample events to cover your second case,

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

AL3Z
Builder
‎01-24-2023 03:01 AM

@scelikok 

could you pls provide me the query to get the  events 

 

thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...