Solved: How can I find events having NULL value related to...

sbhatnagar88 · ‎03-01-2019

Hi,

I am trying to find all the events related to a field where value is NULL.

For E.g., say a field has multiple values like:

abc
def
mno
         -- This is NULL value
xyz
           -- This is NULL value
pqr.

I am trying to search via the below query, but that's not working.
Here parent_incident is field name, which contains multiple values including NULL, and I need data related to NULL values only.

index=main sourcetype=snow:incident endpoint="https://server.service-now.com/" NOT parent_incident=*

Any help would be appreciable.

Thanks

sbhatnagar88 · ‎03-01-2019

Hi @ vnravikumar,

i already have where condition to filter out the month so I am putting your response like this but it doesn't seems to be working.

index=main sourcetype=snow:incident endpoint="https://server.service-now.com/"
| where strftime(_time,"%B %Y")="February 2019" AND isnull(parent_incident)

Thanks

View solution in original post

sbhatnagar88 · ‎03-01-2019

Hi @ vnravikumar,

i already have where condition to filter out the month so I am putting your response like this but it doesn't seems to be working.

index=main sourcetype=snow:incident endpoint="https://server.service-now.com/"
| where strftime(_time,"%B %Y")="February 2019" AND isnull(parent_incident)

Thanks

vnravikumar · ‎03-01-2019

What is the response you are getting?

sbhatnagar88 · ‎03-01-2019

no data coming up with this condition ...

vnravikumar · ‎03-01-2019

Please confirm whether you have data for February month and time range what you had selected

sbhatnagar88 · ‎03-01-2019

yes, we have because when I remove isnull(parent_incident) condition, it shows me data and parent_incident has NULL value as well..

vnravikumar · ‎03-01-2019

Hi @sbhatnagar88

Try like

index=main sourcetype=snow:incident endpoint="https://server.service-now.com/" | where isnull(parent_incident)

vnravikumar · ‎03-01-2019

It has to work

| makeresults 
| eval test= null(),test1="sample" 
| where strftime(_time,"%B %Y")="March 2019" AND isnull(test)

vnravikumar · ‎03-01-2019

Please confirm whether parent_incident contains null values by removing strftime(_time,"%B %Y")="February 2019" in your search

Also, try

index=main sourcetype=snow:incident endpoint="https://server.service-now.com/"
| where strftime(_time,"%B %Y")="February 2019" AND parent_incident=""

sbhatnagar88 · ‎03-01-2019

Hi,
below one worked .. i tried all these yesterday but they didn't work for me because I gave space between double quotes. without spaces it showed me data related to NULL values

index=main sourcetype=snow:incident endpoint="https://server.service-now.com/"
| where strftime(_time,"%B %Y")="February 2019" AND parent_incident=""

Thanks Much!!

vnravikumar · ‎03-01-2019

Good to hear. Please accept the answer.

How can I find events having NULL value related to a field?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!