Hello,
I have a field that is extracted at index-time if it matches a specific regexp.
However, in some cases, the extracted field is empty and therefore the field is NULL.
I would like to put a default value (basic string such as "Empty") instead of having no field.
Is there a way to do it using parameters in the configuration files or maybe using the regular expression ?
Basically I am doing this in most of my searches:
> my_field = $variable$
>
And I want to search:
>myfield = null()
Without modifying the "my_field = something" since this is templated.
Thank you very much !
There is a parameter you can add to your transforms stanza so that if there is no value to hold, the field just doesn't exist.
KEEP_EMPTY_VALS = [true|false]
it sounds like you've set it to true, or that something has set that as the default (it defaults to false, so you should have no field if there is no value)
Then you begin your search with nameofindexfield=* and Splunk will work on only events where the field exists.
If you want the field to exist with a value, then fillnull
or coalesce
would be the way to go at search time (they are Search Language commands)
There is a parameter you can add to your transforms stanza so that if there is no value to hold, the field just doesn't exist.
KEEP_EMPTY_VALS = [true|false]
it sounds like you've set it to true, or that something has set that as the default (it defaults to false, so you should have no field if there is no value)
Then you begin your search with nameofindexfield=* and Splunk will work on only events where the field exists.
If you want the field to exist with a value, then fillnull
or coalesce
would be the way to go at search time (they are Search Language commands)
Yes actually I would like the field to exist.
I would like to do > myfield=something at the beginning of my search and to avoid doing more operations.
If I use fillnull this means that I will have do to this :
| fillnull myfield | search myfield="0" | eval myfield= if(myfield="0","Empty", myfield) | ...
Which is really not the point.
You are mistaken, you can do something like this:
... | fillnull value="Empty" myfield | ...
Which, if I am not mistaken, is totally the point.
Okay thank you woodcock, I understand what you mean.
My problem is that my search is templated and generated by Chef: it is following this format:
> myfield = $variable$
So there will always be a static part: "> myfield = " . In my case, this would works:
> myfield = * OR NOT myfield | fillnull value="Empty" myfield | search myfield="Empty"
But this is not pretty.
Anyway I think I will do this for now if there is no work around.
So you accept my unpretty answer?
myfield=*
means pull only events where myfield
exists. In other words, the FIELD (not the value)
NOT myfield=*
means pull only events where the field does NOT exist
In your case, as you said you always have the field, but sometimes it contains NULL
That's why woodcock is focusing on the fillnull
because that's all you need... OR NOT myfield
is gibberish to Splunk.
Do this at search time with fillnull
(also see coalesce
command).
This is a good idea but I don't want other operations since I really would like to keep myfield=something at the beginning of my search. Something like myfield=null() would be perfect and I really want to avoid:
| fillnull myfield | search myfield="0" | eval myfield= if(myfield="0","Empty", myfield) | ...
which is very ugly.