Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to get all instances that has a field without any value

manjushan
Explorer
‎11-05-2012 10:54 AM

This is the line in my log file.I want to get all searchTerms that do not have a value for PAMapped

2012-10-29 11:20:21,711 - searchTerm=speeding&location=Soperton%2C+GA&PAMapped=

This is the search I gave.

index=savvis-varnish host="dell1000a-12" source="/flocal/logs/lawyers.findlaw.com/search-mapping.log" NOT PAMapped=* earliest=-1mon@mon

But it does not return all instances. It returns only one.

0 Karma
Reply

manjushan
Explorer
‎11-05-2012 11:42 AM

I could use eval to map it to a variable is the value is null

index=savvis-varnish source="/flocal/logs/lawyers.findlaw.com/search-mapping.log" earliest=-0mon@mon| eval Practice_Area=if(isnull(PAMapped),"Not Mapped",urldecode(PAMapped))

But now how do I use eval to display only those log lines that have Practice_Area="Not Mapped"

0 Karma
Reply

manjushan
Explorer
‎11-05-2012 11:34 AM

Tried, No result.

0 Karma
Reply

manjushan
Explorer
‎11-05-2012 11:34 AM

Tried, No result. I saw that there is isnull function with eval ? Do you know how to use that.

0 Karma
Reply

BobM
Builder
‎11-05-2012 11:32 AM

Try this with no spaces

PAMapped=""
0 Karma
Reply

manjushan
Explorer
‎11-05-2012 11:30 AM

Tried this too, with no result:

index=savvis-varnish host="dell1000a-12" source="/flocal/logs/lawyers.findlaw.com/search-mapping.log" PAMapped='' earliest=-1mon@mon

0 Karma
Reply

manjushan
Explorer
‎11-05-2012 11:21 AM

I tried

index=savvis-varnish host="dell1000a-12" source="/flocal/logs/lawyers.findlaw.com/search-mapping.log" PAMapped!=* earliest=-1mon@mon

but did not return any result.

0 Karma
Reply

mattness
Splunk Employee
Splunk Employee
‎11-05-2012 11:14 AM

Try this search instead:

index=savvis-varnish host="dell1000a-12" source="/flocal/logs/lawyers.findlaw.com/search-mapping.log" PAMapped!=* earliest=-1mon@mon

The != operator can be better for this sort of thing.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...