Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search for event field that can 'potentially' contain NULL values

kenth213
Path Finder
‎01-14-2015 04:38 PM

I have a dashboard that has input field tokens to populate a search string. These input fields default to * when no value is specified.
When the wildcard is used, I am having trouble displaying all events when a field has a NULL value.

For example I have fields "FIELD1" and "FIELD2", and events with the following values:
- A) FIELD1 = Admin FIELD2 = Active
- B) FIELD1 = Admin FIELD2 = Active
- C) FIELD1 = User FIELD2 = Inactive
- D) FIELD1 = User FIELD2 =

Event D FIELD2 is NULL. If my search was FIELD1 = * and FIELD2 = "Active" I only return events A and B (correct). However if my search was looking for FIELD1 = * and FIELD2 = * I only find events A B and C.

How do I return all FIELD2 values even if NULL if no value has been specified in the input field - and still enable a specific value to be used e.g. Active?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

jayannah
Builder
‎01-14-2015 06:24 PM

"NOT FIELD2=*" returns the events where FIELD2 value is NULL.

For your case :

     option-1:  FIELD1=*  AND (FIELD2=* OR  NOT FIELD2=* )
     Option-2:  |fillnull value=SOMETHING FIELD2 | where FIELD1=* and FIELD2=*

option-1 is preferred.

let me know if it doesn't work.

View solution in original post

Reply
Solved! Jump to solution
Solution

jayannah
Builder
‎01-14-2015 06:24 PM

"NOT FIELD2=*" returns the events where FIELD2 value is NULL.

For your case :

     option-1:  FIELD1=*  AND (FIELD2=* OR  NOT FIELD2=* )
     Option-2:  |fillnull value=SOMETHING FIELD2 | where FIELD1=* and FIELD2=*

option-1 is preferred.

let me know if it doesn't work.

Reply
Solved! Jump to solution

kenth213
Path Finder
‎01-14-2015 07:15 PM

Option 1 was close, but had issues if a user input other than * is specified. For searches when no user input is specified it works perfectly (as * is default value).

Option 2 was easiest for me to use as I just assigned FIELD2 = "" and could then leave my search string logic as it was.

Thanks for the help.

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...