Splunk Search

What is the best way to search for blank (null) fields in a search?

hastrike
New Member

Is there a best way to search for blank fields in a search? isnull() or ="" doesn't seem to work. Is there way to do this? The only thing we have been able to do is do a f-llnull and then search for those fields we filled in those fields with a specific term.

0 Karma
1 Solution

gyslainlatsa
Motivator

ehennessey_splu
Splunk Employee
Splunk Employee

To expand on this, since I recently ran into the very same issue. If you have a search time field extraction and an event that should contain the field but doesn't, you can't do a search for fieldname="" because the field doesn't get extracted if it's not there.

But if you search for events that should contain the field and want to specifically find events that don't have the field set, the following worked for me (the index/sourcetype combo should always have fieldname set in my case):

index=myindex sourcetype=mysourcetype NOT fieldname=*

All of which is a long way of saying make sure you include search criteria that should always find events with that field set.

nigel_pearson_a
New Member

Old question, but isnull does work for me. These two searches are equivalent:

index=cers  A_Number=04*   | where isnull(MoLiIn)

index=cers  A_Number=04*   NOT MoLiIn=*
0 Karma

gyslainlatsa
Motivator

hi hastrike,

use NOT field="*"

for more informations, follow this link:

https://answers.splunk.com/answers/28197/how-do-i-search-for-event-with-null-values-in-fields.html

hastrike
New Member

so if you wanted to search for two fields such as NULL and inuse would it be something like this:
NOT dv_install_status="*" OR dv_install_status="In use" ?

0 Karma

gyslainlatsa
Motivator

"In use" is a value of *

just write NOT dv_install_status="*"

0 Karma

hastrike
New Member

We just want to find all the fields with In use as the event or if the field is null. Won't this find any event with the * since that is thee wild card?

0 Karma

gyslainlatsa
Motivator

NOT dv_install status = "*" will find all the events wherethe value of the field dv_install_status is empty or zero.

try and see the results because I have already used this option

0 Karma

gyslainlatsa
Motivator

thanks, don't forget to vote

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The isnull should work fine, if you're able to use fillnull. Could you post the search that you tried with fillnull?

0 Karma

hastrike
New Member

I am actually asking on behalf of co-worker. We would like not have to fill in the blank space we just want to find all the fields where it is blank. IsNull didn't seem to be working. The only thing he seemed to be able to use is fillnull (| fillnull value="Blank" dv_install_status) then then search for the field where it said blank. Is there any way to search for blank fields with out doing fill null?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

If the fillnull is working, I would give this a try

your base search | where isnull(dv_install_status)
0 Karma

hastrike
New Member

so just checking is that searching field dv_install_status for any fields that is null?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

It's just selecting events where dv_install_status is null.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...