Splunk Search

How do you see events where a variable's value is null?

Explorer

I am trying to see the events that have null values for a variable called 'Issuer', but I can't seem to find a way to make this work.

Here are examples of what I have tried:

| where isnull(Issuer)
| search Issuer!="*"
| search Issuer!="A*" AND Issuer!="B*"... AND Issuer!="Z*"
| search NOT Issuer=*

Without any of these the variable is present in about 95% of the events, I know that from clicking on the field 'Issuer' on the left hand side of the search.

All three of those lines return nothing when used on their own.

One odd thing is that if I do this:

| search Issuer!="I*"

It will say that the variable is in every event, but if I try this:

| search Issuer="I*"

This also says the variable is in every event.

I do not know why this is happening so if anyone has any suggestions as to how I should go about finding these null variables please let me know. Thank you.

0 Karma
1 Solution

Explorer

The problem had something to do with the rex command. This was my rex command:
| rex field=_raw "Issuer=\"(?.+)\";File"

Some of the variables around the Issuer variable just were not being caught, but when I changed it to this:
| rex field=_raw "Issuer=(?.+);File"

Everything gets caught. I believe this is a bug because I can have the '\"' on either side, but not both. I also tried using '\S' on both sides and that also does not capture everything. It also is not an issue with the string being captured because looking at the stats I can see that the number of individual Issuers caught does not change, but the number each individual one appears gets lowered slightly.

View solution in original post

0 Karma

Explorer

The problem had something to do with the rex command. This was my rex command:
| rex field=_raw "Issuer=\"(?.+)\";File"

Some of the variables around the Issuer variable just were not being caught, but when I changed it to this:
| rex field=_raw "Issuer=(?.+);File"

Everything gets caught. I believe this is a bug because I can have the '\"' on either side, but not both. I also tried using '\S' on both sides and that also does not capture everything. It also is not an issue with the string being captured because looking at the stats I can see that the number of individual Issuers caught does not change, but the number each individual one appears gets lowered slightly.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

When you say null values, does your raw data have field values as literal null OR just blank? Give this a try

your base search
| regex Issuer!=".+"
0 Karma

Explorer

I don't know what the raw data for the field is when Splunk does not collect a value. I believe it is just blank though. The search you recommended brought up nothing. Thank you though.

0 Karma

Influencer

Does this work?

| search NOT Issuer=*

0 Karma

Explorer

No, I forgot to mention I tried that, sorry.

0 Karma

Influencer
 | filnull value="NA" Issuer | search Issuer="NA" 
0 Karma

Explorer

That one was new, but it also returned nothing.
I'm beginning to think Splunk is not treating the values as though they are null, but I don't know how to figure out how it is treating them.

0 Karma