Solved: Filtering NULL values after STATS

gmartinv · ‎05-17-2020

Hello Splunkers,

First of all, than you all for such great community.

I have a question. I am running a query in which I am using appendcols to append the results of a subsearch to my initial search. I am doing this because I am managing large datasets and I want to avoid using the JOIN command. My query is the following one:

index=active_directory (source="ACTIVE_DIRECTORY")
| dedup NUUMA
| eval NUUMA=tostring(upper(NUUMA))
| table NUUMA DISPLAYNAME UserAcControl

| stats values(UserAcControl) count by NUUMA

I am getting the results that I need, but after the STATS command, I need to select the UserAcControl attribute with NULL values. I have tried doing something like this, but it is not working:

…| stats values(UserAcControl) count by NUUMA | where isnull(UserAcControl)

I am attaching a screenshot showing the the values that I want to capture.

Any thoughts??

Thank you!!

to4kawa · ‎05-17-2020

NULL is nothing, not "NULL" string.

| stats values(UserAcControl) count by NUUMA | where isnull(UserAcControl)
→ | stats values(UserAcControl) as UserAcControl count by NUUMA | where UserAcControl="NULL"

View solution in original post

to4kawa · ‎05-17-2020

NULL is nothing, not "NULL" string.

| stats values(UserAcControl) count by NUUMA | where isnull(UserAcControl)
→ | stats values(UserAcControl) as UserAcControl count by NUUMA | where UserAcControl="NULL"

gmartinv · ‎05-17-2020

Thank you!!

Filtering NULL values after STATS

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation