Let's say I have events A and B:
A -- Feb 1 2010 10:10:00 field1=foo field2=bar
B -- Feb 1 2010 10:10:01 field1=foo
How can I find all events where field2 is missing (essentially event B in this tiny example)?
Ok, so I tried a few things, and this is what ended up working:
NOT field2=*
It would be more intuitive if this worked also:
field2=""
fillnull field2 | search field2=0
You can do this on your search:
| where isnull(field2)
Thats the answer, thanks!
Note that using
field2!=*
will not work either. This will never return any events, as it will always be false. This means that field2!=*
and NOT field2=*
are not entirely equivalent. In particular, in the case where field2
doesn't exist, the former is false, while the latter is true.
Well, I guess it depends what you mean by "logically equivalent", but there is a difference in meaning regardless of how Splunk treats them.
No they are not logically equivalent. There is a difference between being empty, and not existing.
It seems like they are logically equivalent, but Splunk does not treat them so. Is that a fair statement?
Ok, so I tried a few things, and this is what ended up working:
NOT field2=*
It would be more intuitive if this worked also:
field2=""
the first code works; the second code doesn't.
it works thank you all , have a nice day
Yes, it can happen.
hey k8to, i'm just wondering if it can actually happen, and if splunk would behave consistently.
It's a valid state of a field.
You can get there with regex extractions.
Do you mean that this is an undesirable thing?
yes, but in splunk land, would a field ever exist and be empty?
field2="" means something very different. It means that field2 exists, but has an empty string value.