All Apps and Add-ons

How to grab all the nulls from indexes?

AL3Z
Path Finder

Hi,

Could you provide me with the search query for one of my index es_splunk ,so that we can find all the null fields, regex case sensitive so it's only catching "null", all lower case, but they may ALL be that way anyway. Just mentioning for completeness... as well as there could be fields that are not "null" but simply an empty string. Those two cases should be checked if we want 100% coverage.

 

Thanks.

 

 

Labels (1)
0 Karma

PickleRick
Ultra Champion

As others already said what do you mean by "null fields"?

If you mean that you need all fields which contain literal "null" string, that's quite easy

index=myindex null

 If you mean that all possible extractions which are not actually extracted from given events... well, that's kinda impossible. Since most extraction work is done in search-time you don't know beforehand what fields you are supposed to have in the events. Only if a field matches a certain regex a given fields are extracted so you don't have a pre-defined set of fields which should be extracted from events for comparison with the values really extracted.

scelikok
SplunkTrust
SplunkTrust

Hi @AL3Z,

@ITWhisperer 's solution should help you. If not below query provides us some samples,

index=es_splunk | head 10

 

If this reply helps you an upvote is appreciated.
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Are you looking for all events where any field no value (is null), or any field has the text "null" in any combination of case, or has any field has an empty string? You could try something like this

index=es_splunk
| eval _flag=0
| foreach *
  [| eval _flag=if(isnull('<<FIELD>>') OR match('<<FIELD>>',"(?i)null") OR '<<FIELD>>'=="", 1, _flag)]
| where _flag != 0

 Having said that, is that really what you want to do? 😀

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @AL3Z,

Could you please share some samples?

You can make regex with case insensitive option but I need to see sample events to cover your second case,

 

If this reply helps you an upvote is appreciated.
0 Karma

AL3Z
Path Finder

@scelikok 

could you pls provide me the query to get the  events 

 

thanks

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...