Solved: Add Filter Query if Field Exists

lmattar · ‎07-23-2020

Hi. I already have a Splunk query that we use in a production environment. We are now adding a new field that we'd like to filter on. However, we want to remain backwards compatible with the query so we can still view the data before adding this new field. Here's sort of what I'd like:

Current:

index=prod sourcetype="prod" year="2019" jobId="21766782-c79d-40c3-a9bf-a3b7269ef557"

With New Field:

index=prod sourcetype="prod" year="2019" jobId="21766782-c79d-40c3-a9bf-a3b7269ef557" if(exists(type), type="MY_TYPE", "")

I know this isn't the right syntax, but essentially I want to filter on that field if it exists in the data. If it doesn't, I want it to exclude it (basically use the old query).

renjith_nair · ‎07-23-2020

Try

index=prod sourcetype="prod" year="2019" jobId="21766782-c79d-40c3-a9bf-a3b7269ef557" 
|where  (type="MY_TYPE" OR isnull(type))

Happy Splunking!

View solution in original post

renjith_nair · ‎07-23-2020

Try

index=prod sourcetype="prod" year="2019" jobId="21766782-c79d-40c3-a9bf-a3b7269ef557" 
|where  (type="MY_TYPE" OR isnull(type))

Happy Splunking!

lmattar · ‎07-24-2020

This worked! Thank you very much!!

Add Filter Query if Field Exists

fields

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...