Solved: How to show results with null values and another v...

tromero3 · ‎04-13-2020

I have a field called "bunit" and I need to filter on results that either have a null value OR a value that contains "servers". I need to use wildcard with the servers because all the results are different, I just need to see anything that contains servers in it.

Adding where isnull(bunit) to the end of my search gives me all of the null results but how do I add the part where I look for any result with servers as a value?(using wildcard) So I want it to show both any field with null value or any field that contains servers in it.

Thank you!

jpolvino · ‎04-13-2020

You could try the like command:

Example:
where isnull(bunit) OR like(bunit,"%wildcard_is_pct%")

Here is the manpage

View solution in original post

jpolvino · ‎04-13-2020

You could try the like command:

Example:
where isnull(bunit) OR like(bunit,"%wildcard_is_pct%")

Here is the manpage

tromero3 · ‎04-13-2020

This works, thank you 🙂

How to show results with null values and another value with wildcard?

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?

How to show results with null values and another value with wildcard?

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25