Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I search for event with null values in fields

JChodagam
Splunk Employee
Splunk Employee
‎07-27-2011 04:07 PM

I'm trying to find all events in the logs that have no value in a field. What's the simplest query for that?

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

JChodagam
Splunk Employee
Splunk Employee
‎07-27-2011 04:12 PM

For instance, all events with NULL TicketId can be retrieved by -

sourcetype=mysql_config NOT TicketId="*"

View solution in original post

Reply
Solved! Jump to solution

siraj198204
Explorer
‎10-17-2014 10:10 AM

Hi,

i added | where len(sso_id)>0 this search with the above search ...

it is looks good ... working very good ...

Thank u ...

0 Karma
Reply
Solved! Jump to solution

Kwip
Contributor
‎12-19-2017 09:20 AM

I downvoted this post because by mistake

0 Karma
Reply
Solved! Jump to solution

siraj198204
Explorer
‎10-17-2014 09:08 AM

Hi ,

index =casm_prod source =/opt/siteminder/log/smtracedefault.log sourcetype=smtrace supportcentral | rex "([[^]]]){10}[(?P[^]])]" |dedup sso_id | lookup identity_lookup sso as sso_id OUTPUT sso as matched_sso |where matched_sso!="NonNbcAccount"

This is working good ,

output ,

10/17/14
12:04:48.549 PM
example 1

[10/17/2014][09:04:48.549][1041173424][s1206273/r789][Supportcentral Internal][][][][][][127004108][][][][][][supportcentralalpcispweb536vprd][** Status: Authorized. ][]
host =useclpapl894.nbcuni.ge.com
matched_sso =127004108
source =/opt/siteminder/log/smtracedefault.log
sourcetype =smtrace
sso_id =127004108

example 1 is correct ..

10/17/14
12:04:48.547 PM

example 2 ,

[10/17/2014][09:04:48.547][1041173424][][][SupportCentral allow access][NBCU SC_Lib_Allow_Policy][][][][][][][][][][][Policy is applicable. Rule is applicable. Get Responses.][]
host =useclpapl894.nbcuni.ge.com
matched_sso ="NonNbcAccount"
source =/opt/siteminder/log/smtracedefault.log
sourcetype =smtrace
sso_id =

in example 2 is having null value , the 11th field is null [] ... but it is returning that value also ...

actually i dont want null value ..

0 Karma
Reply
Solved! Jump to solution
Solution

JChodagam
Splunk Employee
Splunk Employee
‎07-27-2011 04:12 PM

For instance, all events with NULL TicketId can be retrieved by -

sourcetype=mysql_config NOT TicketId="*"

Reply
Solved! Jump to solution

JoeSco27
Communicator
‎09-06-2013 11:51 AM

for example if you don't want "value OR value" you can use:
key!="value OR value" , the explanation point "bang" does the same function as the NOT

0 Karma
Reply
Solved! Jump to solution

sbsbb
Builder
‎04-25-2013 12:33 AM

Is there another way, to search null without "NOT" ?
I user Sideview and Pulldowns with "+OR+" Separator... so the output from the pulldown for the underlying search is key="value OR value" I can't use NOT there...

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...