Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search for null fields following rex field extraction

DanSec
Engager
‎10-31-2023 04:36 AM

I have a current search used in dashboards and alerts. It extracts fields from an existing field. I'm trying to edit this to only return results if the extracted fields are null/empty but I get no results. Essentially this is used to extract ticket numbers and descriptions entered into a freeform text box and I'm trying to pick up when this isn't entered or entered incorrectly.

My search:

 

index=<MyIndex> sourcetype=<MySourceType> log_subtype=general description=CommitAll*
| rex field=description "JobId=(?<JobId>.*?)\." | rename JobId as "Job ID"
| rex field=description "User:\s(?<user>.*?)\." | rename user as User
| rex field=description "Commit Description:\s(?<CommitDescription>.*)" | rename CommitDescription as "Commit Description"
| rex field=description "(?<JobDescription>.*).*JobId" | rename JobDescription as "Job Description"
| rex field=description "device-group\s(?<DeviceGroup>.*?)\s" | rename DeviceGroup as "Device Group"
| rex field=description "template\s(?<Template>.*?)\s" | rename template as Template
| rex field="Commit Description" "\b(?<TicketNumber>\d{5})\b" | rename TicketNumber as "Ticket Number"
| transaction "Job ID" | table _time,host,"Job ID",User,"Ticket Number","Commit Description","Template","Device Group","Job Description"

 

I have tried adding:

 

| where isnull("Ticket Number") OR "Ticket Number"=""

 

I'm assuming that if the search is unable to extract the fields because a ticket number or description has not been entered then the field won't exists to search?

I'm going round in circle here as I don't really understand what happens if the field extraction REX doesn't find a match.

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-31-2023 04:47 AM

Try putting the field names in single quotes in the where command

| where isnull('Ticket Number') OR 'Ticket Number'=""

View solution in original post

0 Karma
Reply
Solved! Jump to solution

DanSec
Engager
‎10-31-2023 05:07 AM

Looking for the facepalm emoji!

Thanks @ITWhisperer 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-31-2023 04:47 AM

Try putting the field names in single quotes in the where command

| where isnull('Ticket Number') OR 'Ticket Number'=""
0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...