Splunk Search

Handling empty fields in format command

ceedwlt
Explorer

I have a search that uses a subsearch to filter out certain kinds of logs. I'm using the format command to create the filter list for the base search, as so:

<base search> | where NOT [<subsearch> | fields <field> | format]

Everything works fine until there's a time period where there's nothing that needs filtering. Instead, format simply returns NOT () which causes the base search to fail with this message:

Error in 'where' command: The 'not' function is unsupported or undefined.

Is there a standard way to handle this situation? I've tried using fillnull with no success.

Thanks in advance.

0 Karma
1 Solution

somesoni2
Revered Legend

Just replace "| where" by "| search" and it should work fine.

<query> | search NOT [<sub-query> | fields <field> | format]

See this run anywhere sample search

index=_internal  earliest=-15m  | head 100 | search NOT [ search index=_internal32454  earliest=-15m | head 1| table sourcetype | makemv sourcetype | mvexpand sourcetype | format ]| stats count by sourcetype

Replace search by where to check that your error is replicated

View solution in original post

woodcock
Esteemed Legend

Get rid of the | where and it should work fine.

ceedwlt
Explorer

This also works, I didn't have time to check it earlier. Thanks!

0 Karma

somesoni2
Revered Legend

Just replace "| where" by "| search" and it should work fine.

<query> | search NOT [<sub-query> | fields <field> | format]

See this run anywhere sample search

index=_internal  earliest=-15m  | head 100 | search NOT [ search index=_internal32454  earliest=-15m | head 1| table sourcetype | makemv sourcetype | mvexpand sourcetype | format ]| stats count by sourcetype

Replace search by where to check that your error is replicated

ceedwlt
Explorer

Perfect, that solved it - thanks!

0 Karma

woodcock
Esteemed Legend

As my solution indicates, you should not need either clause.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...