Splunk Search
Highlighted

For a field extracted at index-time, is there a way to put a default value such as "Empty" instead of having no field?

Explorer

Hello,

I have a field that is extracted at index-time if it matches a specific regexp.
However, in some cases, the extracted field is empty and therefore the field is NULL.

I would like to put a default value (basic string such as "Empty") instead of having no field.
Is there a way to do it using parameters in the configuration files or maybe using the regular expression ?

Basically I am doing this in most of my searches:

> my_field = $variable$
>

And I want to search:

>myfield = null()

Without modifying the "my_field = something" since this is templated.

Thank you very much !

0 Karma
Highlighted

Re: For a field extracted at index-time, is there a way to put a default value such as "Empty" instead of having no field?

Esteemed Legend

Do this at search time with fillnull (also see coalesce command).

Highlighted

Re: For a field extracted at index-time, is there a way to put a default value such as "Empty" instead of having no field?

Explorer

This is a good idea but I don't want other operations since I really would like to keep myfield=something at the beginning of my search. Something like myfield=null() would be perfect and I really want to avoid:
| fillnull myfield | search myfield="0" | eval myfield= if(myfield="0","Empty", myfield) | ...

which is very ugly.

0 Karma
Highlighted

Re: For a field extracted at index-time, is there a way to put a default value such as "Empty" instead of having no field?

Splunk Employee
Splunk Employee

There is a parameter you can add to your transforms stanza so that if there is no value to hold, the field just doesn't exist.

KEEP_EMPTY_VALS = [true|false]

it sounds like you've set it to true, or that something has set that as the default (it defaults to false, so you should have no field if there is no value)

Then you begin your search with nameofindexfield=* and Splunk will work on only events where the field exists.

If you want the field to exist with a value, then fillnull or coalesce would be the way to go at search time (they are Search Language commands)

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

Highlighted

Re: For a field extracted at index-time, is there a way to put a default value such as "Empty" instead of having no field?

Explorer

Yes actually I would like the field to exist.
I would like to do > myfield=something at the beginning of my search and to avoid doing more operations.

If I use fillnull this means that I will have do to this :
| fillnull myfield | search myfield="0" | eval myfield= if(myfield="0","Empty", myfield) | ...
Which is really not the point.

0 Karma
Highlighted

Re: For a field extracted at index-time, is there a way to put a default value such as "Empty" instead of having no field?

Esteemed Legend

You are mistaken, you can do something like this:

... | fillnull value="Empty" myfield | ...

Which, if I am not mistaken, is totally the point.

0 Karma
Highlighted

Re: For a field extracted at index-time, is there a way to put a default value such as "Empty" instead of having no field?

Explorer

Okay thank you woodcock, I understand what you mean.
My problem is that my search is templated and generated by Chef: it is following this format:
> myfield = $variable$

So there will always be a static part: "> myfield = " . In my case, this would works:

> myfield = * OR NOT myfield | fillnull value="Empty" myfield | search myfield="Empty"

But this is not pretty.
Anyway I think I will do this for now if there is no work around.

0 Karma
Highlighted

Re: For a field extracted at index-time, is there a way to put a default value such as "Empty" instead of having no field?

Splunk Employee
Splunk Employee

myfield=* means pull only events where myfield exists. In other words, the FIELD (not the value)

NOT myfield=* means pull only events where the field does NOT exist

In your case, as you said you always have the field, but sometimes it contains NULL
That's why woodcock is focusing on the fillnull because that's all you need... OR NOT myfield is gibberish to Splunk.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Highlighted

Re: For a field extracted at index-time, is there a way to put a default value such as "Empty" instead of having no field?

Esteemed Legend

So you accept my unpretty answer?

0 Karma