Solved: Re: How to show results with null values and anoth...

tromero3 · ‎04-13-2020

I have a field called "bunit" and I need to filter on results that either have a null value OR a value that contains "servers". I need to use wildcard with the servers because all the results are different, I just need to see anything that contains servers in it.

Adding where isnull(bunit) to the end of my search gives me all of the null results but how do I add the part where I look for any result with servers as a value?(using wildcard) So I want it to show both any field with null value or any field that contains servers in it.

Thank you!

jpolvino · ‎04-13-2020

You could try the like command:

Example:
where isnull(bunit) OR like(bunit,"%wildcard_is_pct%")

Here is the manpage

View solution in original post

jpolvino · ‎04-13-2020

You could try the like command:

Example:
where isnull(bunit) OR like(bunit,"%wildcard_is_pct%")

Here is the manpage

tromero3 · ‎04-13-2020

This works, thank you 🙂

How to show results with null values and another value with wildcard?

Community Content Calendar, August edition

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Are you a member of the Splunk Community?

How to show results with null values and another value with wildcard?

Community Content Calendar, August edition

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever