Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I search for event with null values in fields

JChodagam
Splunk Employee
Splunk Employee
‎07-27-2011 04:07 PM

I'm trying to find all events in the logs that have no value in a field. What's the simplest query for that?

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

JChodagam
Splunk Employee
Splunk Employee
‎07-27-2011 04:12 PM

For instance, all events with NULL TicketId can be retrieved by -

sourcetype=mysql_config NOT TicketId="*"

View solution in original post

Reply
Solved! Jump to solution

siraj198204
Explorer
‎10-17-2014 10:10 AM

Hi,

i added | where len(sso_id)>0 this search with the above search ...

it is looks good ... working very good ...

Thank u ...

0 Karma
Reply
Solved! Jump to solution

Kwip
Contributor
‎12-19-2017 09:20 AM

I downvoted this post because by mistake

0 Karma
Reply
Solved! Jump to solution

siraj198204
Explorer
‎10-17-2014 09:08 AM

Hi ,

index =casm_prod source =/opt/siteminder/log/smtracedefault.log sourcetype=smtrace supportcentral | rex "([[^]]]){10}[(?P[^]])]" |dedup sso_id | lookup identity_lookup sso as sso_id OUTPUT sso as matched_sso |where matched_sso!="NonNbcAccount"

This is working good ,

output ,

10/17/14
12:04:48.549 PM
example 1

[10/17/2014][09:04:48.549][1041173424][s1206273/r789][Supportcentral Internal][][][][][][127004108][][][][][][supportcentralalpcispweb536vprd][** Status: Authorized. ][]
host =useclpapl894.nbcuni.ge.com
matched_sso =127004108
source =/opt/siteminder/log/smtracedefault.log
sourcetype =smtrace
sso_id =127004108

example 1 is correct ..

10/17/14
12:04:48.547 PM

example 2 ,

[10/17/2014][09:04:48.547][1041173424][][][SupportCentral allow access][NBCU SC_Lib_Allow_Policy][][][][][][][][][][][Policy is applicable. Rule is applicable. Get Responses.][]
host =useclpapl894.nbcuni.ge.com
matched_sso ="NonNbcAccount"
source =/opt/siteminder/log/smtracedefault.log
sourcetype =smtrace
sso_id =

in example 2 is having null value , the 11th field is null [] ... but it is returning that value also ...

actually i dont want null value ..

0 Karma
Reply
Solved! Jump to solution
Solution

JChodagam
Splunk Employee
Splunk Employee
‎07-27-2011 04:12 PM

For instance, all events with NULL TicketId can be retrieved by -

sourcetype=mysql_config NOT TicketId="*"

Reply
Solved! Jump to solution

JoeSco27
Communicator
‎09-06-2013 11:51 AM

for example if you don't want "value OR value" you can use:
key!="value OR value" , the explanation point "bang" does the same function as the NOT

0 Karma
Reply
Solved! Jump to solution

sbsbb
Builder
‎04-25-2013 12:33 AM

Is there another way, to search null without "NOT" ?
I user Sideview and Pulldowns with "+OR+" Separator... so the output from the pulldown for the underlying search is key="value OR value" I can't use NOT there...

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...