Splunk Search

How can I search for a missing field?

hulahoop
Splunk Employee
Splunk Employee

Let's say I have events A and B:

A -- Feb 1 2010 10:10:00 field1=foo field2=bar
B -- Feb 1 2010 10:10:01 field1=foo

How can I find all events where field2 is missing (essentially event B in this tiny example)?

Tags (2)
1 Solution

hulahoop
Splunk Employee
Splunk Employee

Ok, so I tried a few things, and this is what ended up working:

NOT field2=*

It would be more intuitive if this worked also:

field2=""

View solution in original post

support0
Path Finder

fillnull field2 | search field2=0

0 Karma

dinh
Path Finder

You can do this on your search:

| where isnull(field2)

lmoceze
Engager

Thats the answer, thanks!

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Note that using

field2!=*

will not work either. This will never return any events, as it will always be false. This means that field2!=* and NOT field2=* are not entirely equivalent. In particular, in the case where field2 doesn't exist, the former is false, while the latter is true.

gkanapathy
Splunk Employee
Splunk Employee

Well, I guess it depends what you mean by "logically equivalent", but there is a difference in meaning regardless of how Splunk treats them.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

No they are not logically equivalent. There is a difference between being empty, and not existing.

hulahoop
Splunk Employee
Splunk Employee

It seems like they are logically equivalent, but Splunk does not treat them so. Is that a fair statement?

0 Karma

hulahoop
Splunk Employee
Splunk Employee

Ok, so I tried a few things, and this is what ended up working:

NOT field2=*

It would be more intuitive if this worked also:

field2=""

leonjxtan
Path Finder

the first code works; the second code doesn't.

0 Karma

otman01
Communicator

it works thank you all , have a nice day

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Yes, it can happen.

0 Karma

hulahoop
Splunk Employee
Splunk Employee

hey k8to, i'm just wondering if it can actually happen, and if splunk would behave consistently.

0 Karma

jrodman
Splunk Employee
Splunk Employee

It's a valid state of a field.
You can get there with regex extractions.

Do you mean that this is an undesirable thing?

hulahoop
Splunk Employee
Splunk Employee

yes, but in splunk land, would a field ever exist and be empty?

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

field2="" means something very different. It means that field2 exists, but has an empty string value.

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...