Splunk Search

Search for null fields following rex field extraction

DanSec
Engager

I have a current search used in dashboards and alerts. It extracts fields from an existing field. I'm trying to edit this to only return results if the extracted fields are null/empty but I get no results. Essentially this is used to extract ticket numbers and descriptions entered into a freeform text box and I'm trying to pick up when this isn't entered or entered incorrectly.

My search:

 

index=<MyIndex> sourcetype=<MySourceType> log_subtype=general description=CommitAll*
| rex field=description "JobId=(?<JobId>.*?)\." | rename JobId as "Job ID"
| rex field=description "User:\s(?<user>.*?)\." | rename user as User
| rex field=description "Commit Description:\s(?<CommitDescription>.*)" | rename CommitDescription as "Commit Description"
| rex field=description "(?<JobDescription>.*).*JobId" | rename JobDescription as "Job Description"
| rex field=description "device-group\s(?<DeviceGroup>.*?)\s" | rename DeviceGroup as "Device Group"
| rex field=description "template\s(?<Template>.*?)\s" | rename template as Template
| rex field="Commit Description" "\b(?<TicketNumber>\d{5})\b" | rename TicketNumber as "Ticket Number"
| transaction "Job ID" | table _time,host,"Job ID",User,"Ticket Number","Commit Description","Template","Device Group","Job Description"

 

I have tried adding:

 

| where isnull("Ticket Number") OR "Ticket Number"=""

 

I'm assuming that if the search is unable to extract the fields because a ticket number or description has not been entered then the field won't exists to search?

I'm going round in circle here as I don't really understand what happens if the field extraction REX doesn't find a match.

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try putting the field names in single quotes in the where command

| where isnull('Ticket Number') OR 'Ticket Number'=""

View solution in original post

0 Karma

DanSec
Engager

Looking for the facepalm emoji!

Thanks @ITWhisperer 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try putting the field names in single quotes in the where command

| where isnull('Ticket Number') OR 'Ticket Number'=""
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...