Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get all instances that has a field without any value

manjushan
Explorer
‎11-05-2012 10:54 AM

This is the line in my log file.I want to get all searchTerms that do not have a value for PAMapped

2012-10-29 11:20:21,711 - searchTerm=speeding&location=Soperton%2C+GA&PAMapped=

This is the search I gave.

index=savvis-varnish host="dell1000a-12" source="/flocal/logs/lawyers.findlaw.com/search-mapping.log" NOT PAMapped=* earliest=-1mon@mon

But it does not return all instances. It returns only one.

0 Karma
Reply

manjushan
Explorer
‎11-05-2012 11:42 AM

I could use eval to map it to a variable is the value is null

index=savvis-varnish source="/flocal/logs/lawyers.findlaw.com/search-mapping.log" earliest=-0mon@mon| eval Practice_Area=if(isnull(PAMapped),"Not Mapped",urldecode(PAMapped))

But now how do I use eval to display only those log lines that have Practice_Area="Not Mapped"

0 Karma
Reply

manjushan
Explorer
‎11-05-2012 11:34 AM

Tried, No result.

0 Karma
Reply

manjushan
Explorer
‎11-05-2012 11:34 AM

Tried, No result. I saw that there is isnull function with eval ? Do you know how to use that.

0 Karma
Reply

BobM
Builder
‎11-05-2012 11:32 AM

Try this with no spaces

PAMapped=""
0 Karma
Reply

manjushan
Explorer
‎11-05-2012 11:30 AM

Tried this too, with no result:

index=savvis-varnish host="dell1000a-12" source="/flocal/logs/lawyers.findlaw.com/search-mapping.log" PAMapped='' earliest=-1mon@mon

0 Karma
Reply

manjushan
Explorer
‎11-05-2012 11:21 AM

I tried

index=savvis-varnish host="dell1000a-12" source="/flocal/logs/lawyers.findlaw.com/search-mapping.log" PAMapped!=* earliest=-1mon@mon

but did not return any result.

0 Karma
Reply

mattness
Splunk Employee
Splunk Employee
‎11-05-2012 11:14 AM

Try this search instead:

index=savvis-varnish host="dell1000a-12" source="/flocal/logs/lawyers.findlaw.com/search-mapping.log" PAMapped!=* earliest=-1mon@mon

The != operator can be better for this sort of thing.

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...