Splunk Search

Search for null fields following rex field extraction

DanSec
Engager

I have a current search used in dashboards and alerts. It extracts fields from an existing field. I'm trying to edit this to only return results if the extracted fields are null/empty but I get no results. Essentially this is used to extract ticket numbers and descriptions entered into a freeform text box and I'm trying to pick up when this isn't entered or entered incorrectly.

My search:

 

index=<MyIndex> sourcetype=<MySourceType> log_subtype=general description=CommitAll*
| rex field=description "JobId=(?<JobId>.*?)\." | rename JobId as "Job ID"
| rex field=description "User:\s(?<user>.*?)\." | rename user as User
| rex field=description "Commit Description:\s(?<CommitDescription>.*)" | rename CommitDescription as "Commit Description"
| rex field=description "(?<JobDescription>.*).*JobId" | rename JobDescription as "Job Description"
| rex field=description "device-group\s(?<DeviceGroup>.*?)\s" | rename DeviceGroup as "Device Group"
| rex field=description "template\s(?<Template>.*?)\s" | rename template as Template
| rex field="Commit Description" "\b(?<TicketNumber>\d{5})\b" | rename TicketNumber as "Ticket Number"
| transaction "Job ID" | table _time,host,"Job ID",User,"Ticket Number","Commit Description","Template","Device Group","Job Description"

 

I have tried adding:

 

| where isnull("Ticket Number") OR "Ticket Number"=""

 

I'm assuming that if the search is unable to extract the fields because a ticket number or description has not been entered then the field won't exists to search?

I'm going round in circle here as I don't really understand what happens if the field extraction REX doesn't find a match.

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try putting the field names in single quotes in the where command

| where isnull('Ticket Number') OR 'Ticket Number'=""

View solution in original post

0 Karma

DanSec
Engager

Looking for the facepalm emoji!

Thanks @ITWhisperer 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try putting the field names in single quotes in the where command

| where isnull('Ticket Number') OR 'Ticket Number'=""
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...