Splunk Search
Highlighted

What is the best way to search for blank (null) fields in a search?

New Member

Is there a best way to search for blank fields in a search? isnull() or ="" doesn't seem to work. Is there way to do this? The only thing we have been able to do is do a f-llnull and then search for those fields we filled in those fields with a specific term.

0 Karma
Highlighted

Re: What is the best way to search for blank (null) fields in a search?

SplunkTrust
SplunkTrust

The isnull should work fine, if you're able to use fillnull. Could you post the search that you tried with fillnull?

0 Karma
Highlighted

Re: What is the best way to search for blank (null) fields in a search?

New Member

I am actually asking on behalf of co-worker. We would like not have to fill in the blank space we just want to find all the fields where it is blank. IsNull didn't seem to be working. The only thing he seemed to be able to use is fillnull (| fillnull value="Blank" dvinstallstatus) then then search for the field where it said blank. Is there any way to search for blank fields with out doing fill null?

0 Karma
Highlighted

Re: What is the best way to search for blank (null) fields in a search?

SplunkTrust
SplunkTrust

If the fillnull is working, I would give this a try

your base search | where isnull(dv_install_status)
0 Karma
Highlighted

Re: What is the best way to search for blank (null) fields in a search?

New Member

so just checking is that searching field dvinstallstatus for any fields that is null?

0 Karma
Highlighted

Re: What is the best way to search for blank (null) fields in a search?

SplunkTrust
SplunkTrust

It's just selecting events where dvinstallstatus is null.

0 Karma
Highlighted

Re: What is the best way to search for blank (null) fields in a search?

Motivator
Highlighted

Re: What is the best way to search for blank (null) fields in a search?

New Member

so if you wanted to search for two fields such as NULL and inuse would it be something like this:
NOT dvinstallstatus="*" OR dvinstallstatus="In use" ?

0 Karma
Highlighted

Re: What is the best way to search for blank (null) fields in a search?

Motivator

"In use" is a value of *

just write NOT dv_install_status="*"

0 Karma
Highlighted

Re: What is the best way to search for blank (null) fields in a search?

New Member

We just want to find all the fields with In use as the event or if the field is null. Won't this find any event with the * since that is thee wild card?

0 Karma