Splunk Enterprise Security

How to show results with null values and another value with wildcard?

tromero3
Path Finder

I have a field called "bunit" and I need to filter on results that either have a null value OR a value that contains "servers". I need to use wildcard with the servers because all the results are different, I just need to see anything that contains servers in it.

Adding where isnull(bunit) to the end of my search gives me all of the null results but how do I add the part where I look for any result with servers as a value?(using wildcard) So I want it to show both any field with null value or any field that contains servers in it.

Thank you!

0 Karma
1 Solution

jpolvino
Builder

You could try the like command:

Example:
where isnull(bunit) OR like(bunit,"%wildcard_is_pct%")

Here is the manpage

View solution in original post

0 Karma

jpolvino
Builder

You could try the like command:

Example:
where isnull(bunit) OR like(bunit,"%wildcard_is_pct%")

Here is the manpage

0 Karma

tromero3
Path Finder

This works, thank you 🙂

Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...