Is there a best way to search for blank fields in a search?
="" doesn't seem to work. Is there way to do this? The only thing we have been able to do is do a f-llnull and then search for those fields we filled in those fields with a specific term.
To expand on this, since I recently ran into the very same issue. If you have a search time field extraction and an event that should contain the field but doesn't, you can't do a search for
fieldname="" because the field doesn't get extracted if it's not there.
But if you search for events that should contain the field and want to specifically find events that don't have the field set, the following worked for me (the index/sourcetype combo should always have fieldname set in my case):
index=myindex sourcetype=mysourcetype NOT fieldname=*
All of which is a long way of saying make sure you include search criteria that should always find events with that field set.
Old question, but isnull does work for me. These two searches are equivalent:
index=cers A_Number=04* | where isnull(MoLiIn) index=cers A_Number=04* NOT MoLiIn=*
NOT dv_install status = "*" will find all the events wherethe value of the field dv_install_status is empty or zero.
try and see the results because I have already used this option
I am actually asking on behalf of co-worker. We would like not have to fill in the blank space we just want to find all the fields where it is blank. IsNull didn't seem to be working. The only thing he seemed to be able to use is fillnull (| fillnull value="Blank" dv_install_status) then then search for the field where it said blank. Is there any way to search for blank fields with out doing fill null?