Splunk Search

For a field extracted at index-time, is there a way to put a default value such as "Empty" instead of having no field?

Super_Knulps
Explorer

Hello,

I have a field that is extracted at index-time if it matches a specific regexp.
However, in some cases, the extracted field is empty and therefore the field is NULL.

I would like to put a default value (basic string such as "Empty") instead of having no field.
Is there a way to do it using parameters in the configuration files or maybe using the regular expression ?

Basically I am doing this in most of my searches:

> my_field = $variable$
>

And I want to search:

>myfield = null()

Without modifying the "my_field = something" since this is templated.

Thank you very much !

0 Karma
1 Solution

rsennett_splunk
Splunk Employee
Splunk Employee

There is a parameter you can add to your transforms stanza so that if there is no value to hold, the field just doesn't exist.

KEEP_EMPTY_VALS = [true|false]

it sounds like you've set it to true, or that something has set that as the default (it defaults to false, so you should have no field if there is no value)

Then you begin your search with nameofindexfield=* and Splunk will work on only events where the field exists.

If you want the field to exist with a value, then fillnull or coalesce would be the way to go at search time (they are Search Language commands)

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

rsennett_splunk
Splunk Employee
Splunk Employee

There is a parameter you can add to your transforms stanza so that if there is no value to hold, the field just doesn't exist.

KEEP_EMPTY_VALS = [true|false]

it sounds like you've set it to true, or that something has set that as the default (it defaults to false, so you should have no field if there is no value)

Then you begin your search with nameofindexfield=* and Splunk will work on only events where the field exists.

If you want the field to exist with a value, then fillnull or coalesce would be the way to go at search time (they are Search Language commands)

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

Super_Knulps
Explorer

Yes actually I would like the field to exist.
I would like to do > myfield=something at the beginning of my search and to avoid doing more operations.

If I use fillnull this means that I will have do to this :
| fillnull myfield | search myfield="0" | eval myfield= if(myfield="0","Empty", myfield) | ...
Which is really not the point.

0 Karma

woodcock
Esteemed Legend

You are mistaken, you can do something like this:

... | fillnull value="Empty" myfield | ...

Which, if I am not mistaken, is totally the point.

0 Karma

Super_Knulps
Explorer

Okay thank you woodcock, I understand what you mean.
My problem is that my search is templated and generated by Chef: it is following this format:
> myfield = $variable$

So there will always be a static part: "> myfield = " . In my case, this would works:

> myfield = * OR NOT myfield | fillnull value="Empty" myfield | search myfield="Empty"

But this is not pretty.
Anyway I think I will do this for now if there is no work around.

0 Karma

woodcock
Esteemed Legend

So you accept my unpretty answer?

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

myfield=* means pull only events where myfield exists. In other words, the FIELD (not the value)

NOT myfield=* means pull only events where the field does NOT exist

In your case, as you said you always have the field, but sometimes it contains NULL
That's why woodcock is focusing on the fillnull because that's all you need... OR NOT myfield is gibberish to Splunk.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

woodcock
Esteemed Legend

Do this at search time with fillnull (also see coalesce command).

Super_Knulps
Explorer

This is a good idea but I don't want other operations since I really would like to keep myfield=something at the beginning of my search. Something like myfield=null() would be perfect and I really want to avoid:
| fillnull myfield | search myfield="0" | eval myfield= if(myfield="0","Empty", myfield) | ...

which is very ugly.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...