Getting Data In

Filtering NULL values after STATS

gmartinv
New Member

Hello Splunkers,

First of all, than you all for such great community.

I have a question. I am running a query in which I am using appendcols to append the results of a subsearch to my initial search. I am doing this because I am managing large datasets and I want to avoid using the JOIN command. My query is the following one:

index=active_directory (source="ACTIVE_DIRECTORY")
| dedup NUUMA
| eval NUUMA=tostring(upper(NUUMA))
| table NUUMA DISPLAYNAME UserAcControl

| appendcols [search index=active_directory source="APP1" | dedup USERNAME | fields USERNAME UserAcControl |eval NUUMA=tostring(upper(USERNAME)) | fillnull value=NULL UserAcControl]

| stats values(UserAcControl) count by NUUMA

I am getting the results that I need, but after the STATS command, I need to select the UserAcControl attribute with NULL values. I have tried doing something like this, but it is not working:

…| stats values(UserAcControl) count by NUUMA | where isnull(UserAcControl)

I am attaching a screenshot showing the the values that I want to capture.

Any thoughts??

Thank you!!

alt text

0 Karma
1 Solution

to4kawa
Ultra Champion

NULL is nothing, not "NULL" string.

| stats values(UserAcControl) count by NUUMA | where isnull(UserAcControl)
| stats values(UserAcControl) as UserAcControl count by NUUMA | where UserAcControl="NULL"

View solution in original post

0 Karma

to4kawa
Ultra Champion

NULL is nothing, not "NULL" string.

| stats values(UserAcControl) count by NUUMA | where isnull(UserAcControl)
| stats values(UserAcControl) as UserAcControl count by NUUMA | where UserAcControl="NULL"

0 Karma

gmartinv
New Member

Thank you!!

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

 Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research Team (STRT) and ...