Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I search for event with null values in fields

JChodagam
Splunk Employee
Splunk Employee
‎07-27-2011 04:07 PM

I'm trying to find all events in the logs that have no value in a field. What's the simplest query for that?

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

JChodagam
Splunk Employee
Splunk Employee
‎07-27-2011 04:12 PM

For instance, all events with NULL TicketId can be retrieved by -

sourcetype=mysql_config NOT TicketId="*"

View solution in original post

Reply
Solved! Jump to solution

siraj198204
Explorer
‎10-17-2014 10:10 AM

Hi,

i added | where len(sso_id)>0 this search with the above search ...

it is looks good ... working very good ...

Thank u ...

0 Karma
Reply
Solved! Jump to solution

Kwip
Contributor
‎12-19-2017 09:20 AM

I downvoted this post because by mistake

0 Karma
Reply
Solved! Jump to solution

siraj198204
Explorer
‎10-17-2014 09:08 AM

Hi ,

index =casm_prod source =/opt/siteminder/log/smtracedefault.log sourcetype=smtrace supportcentral | rex "([[^]]]){10}[(?P[^]])]" |dedup sso_id | lookup identity_lookup sso as sso_id OUTPUT sso as matched_sso |where matched_sso!="NonNbcAccount"

This is working good ,

output ,

10/17/14
12:04:48.549 PM
example 1

[10/17/2014][09:04:48.549][1041173424][s1206273/r789][Supportcentral Internal][][][][][][127004108][][][][][][supportcentralalpcispweb536vprd][** Status: Authorized. ][]
host =useclpapl894.nbcuni.ge.com
matched_sso =127004108
source =/opt/siteminder/log/smtracedefault.log
sourcetype =smtrace
sso_id =127004108

example 1 is correct ..

10/17/14
12:04:48.547 PM

example 2 ,

[10/17/2014][09:04:48.547][1041173424][][][SupportCentral allow access][NBCU SC_Lib_Allow_Policy][][][][][][][][][][][Policy is applicable. Rule is applicable. Get Responses.][]
host =useclpapl894.nbcuni.ge.com
matched_sso ="NonNbcAccount"
source =/opt/siteminder/log/smtracedefault.log
sourcetype =smtrace
sso_id =

in example 2 is having null value , the 11th field is null [] ... but it is returning that value also ...

actually i dont want null value ..

0 Karma
Reply
Solved! Jump to solution
Solution

JChodagam
Splunk Employee
Splunk Employee
‎07-27-2011 04:12 PM

For instance, all events with NULL TicketId can be retrieved by -

sourcetype=mysql_config NOT TicketId="*"

Reply
Solved! Jump to solution

JoeSco27
Communicator
‎09-06-2013 11:51 AM

for example if you don't want "value OR value" you can use:
key!="value OR value" , the explanation point "bang" does the same function as the NOT

0 Karma
Reply
Solved! Jump to solution

sbsbb
Builder
‎04-25-2013 12:33 AM

Is there another way, to search null without "NOT" ?
I user Sideview and Pulldowns with "+OR+" Separator... so the output from the pulldown for the underlying search is key="value OR value" I can't use NOT there...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...