Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to exclude events with null fields in a search?

lbogle
Contributor
‎09-10-2014 03:00 PM

Hello Splunkers,
I've got a search built thats working properly but I'm not able to get the events with a particular blank field excluded. In particular, I'm trying to exclude events that have a blank System Name field. I was trying to do it thusly:

search | where isnull(System Name)

Is that wrong?

Thanks,

Tags (4)
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎09-10-2014 03:20 PM

That's not the easiest way to do it, and you have the test reversed. Plus, field names can't have spaces in the search command. Here is the easy way:

fieldA=*

This search will only return events that have some value for fieldA. If you want to make sure that several fields have values, you could do this

fieldA=* SystemName=*

View solution in original post

Reply
Solved! Jump to solution

gsopkoTC
Path Finder
‎07-29-2016 06:27 AM

I know this is a bit late, but possibly:

field!=null
Reply
Solved! Jump to solution

lguinn2
Legend
‎09-19-2016 02:17 PM

null is not a reserved word in Splunk. So your solution may appear to work, but it is actually testing

field!="null"

In the search command, the text following an equal sign is considered a string.

But it probably works in your application.

Reply
Solved! Jump to solution

dcagatay
Explorer
‎05-05-2015 12:26 AM

In my case, field search with asterisk(*) didn't work, but using not equal to empty string worked.

fieldA!=""
Reply
Solved! Jump to solution

jakeblack
Explorer
‎02-25-2016 05:14 AM

This sorted me right out! Thanks

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎09-10-2014 03:20 PM

That's not the easiest way to do it, and you have the test reversed. Plus, field names can't have spaces in the search command. Here is the easy way:

fieldA=*

This search will only return events that have some value for fieldA. If you want to make sure that several fields have values, you could do this

fieldA=* SystemName=*
Reply
Solved! Jump to solution

lbogle
Contributor
‎09-10-2014 10:02 PM

There are supposed to be asterix marks after the ='s above....

0 Karma
Reply
Solved! Jump to solution

lbogle
Contributor
‎09-10-2014 05:02 PM

I see. So if you have fieldA=* it will only return events with fieldA=* where fieldA actually has "anything" in and not "nothing" or blank space. Is that correct?

Would the correct syntax for the way I put it first be?:

search | where isnotnull(hostname)

Thanks for your time!

Reply
Solved! Jump to solution

lguinn2
Legend
‎04-23-2015 10:12 AM

Yes, fieldA=* means "fieldA must have a value." Blank space is actually a valid value, hex 20 = ASCII space - but blank fields rarely occur in Splunk.

Yes, you can use isnotnull with the where command. But it is most efficient to filter in the very first search command if possible.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...