Splunk Search

What is the best way to search for blank (null) fields in a search?

New Member

Is there a best way to search for blank fields in a search? isnull() or ="" doesn't seem to work. Is there way to do this? The only thing we have been able to do is do a f-llnull and then search for those fields we filled in those fields with a specific term.

0 Karma
1 Solution

Motivator

Splunk Employee
Splunk Employee

To expand on this, since I recently ran into the very same issue. If you have a search time field extraction and an event that should contain the field but doesn't, you can't do a search for fieldname="" because the field doesn't get extracted if it's not there.

But if you search for events that should contain the field and want to specifically find events that don't have the field set, the following worked for me (the index/sourcetype combo should always have fieldname set in my case):

index=myindex sourcetype=mysourcetype NOT fieldname=*

All of which is a long way of saying make sure you include search criteria that should always find events with that field set.

New Member

Old question, but isnull does work for me. These two searches are equivalent:

index=cers  A_Number=04*   | where isnull(MoLiIn)

index=cers  A_Number=04*   NOT MoLiIn=*
0 Karma

Motivator

New Member

so if you wanted to search for two fields such as NULL and inuse would it be something like this:
NOT dvinstallstatus="*" OR dvinstallstatus="In use" ?

0 Karma

Motivator

"In use" is a value of *

just write NOT dv_install_status="*"

0 Karma

New Member

We just want to find all the fields with In use as the event or if the field is null. Won't this find any event with the * since that is thee wild card?

0 Karma

Motivator

NOT dvinstall status = "*" will find all the events wherethe value of the field dvinstall_status is empty or zero.

try and see the results because I have already used this option

0 Karma

Motivator

thanks, don't forget to vote

0 Karma

SplunkTrust
SplunkTrust

The isnull should work fine, if you're able to use fillnull. Could you post the search that you tried with fillnull?

0 Karma

New Member

I am actually asking on behalf of co-worker. We would like not have to fill in the blank space we just want to find all the fields where it is blank. IsNull didn't seem to be working. The only thing he seemed to be able to use is fillnull (| fillnull value="Blank" dvinstallstatus) then then search for the field where it said blank. Is there any way to search for blank fields with out doing fill null?

0 Karma

SplunkTrust
SplunkTrust

If the fillnull is working, I would give this a try

your base search | where isnull(dv_install_status)
0 Karma

New Member

so just checking is that searching field dvinstallstatus for any fields that is null?

0 Karma

SplunkTrust
SplunkTrust

It's just selecting events where dvinstallstatus is null.

0 Karma