Is there a best way to search for blank fields in a search? isnull()
or =""
doesn't seem to work. Is there way to do this? The only thing we have been able to do is do a f-llnull and then search for those fields we filled in those fields with a specific term.
hi hastrike,
use NOT field="*"
for more informations, follow this link:
https://answers.splunk.com/answers/28197/how-do-i-search-for-event-with-null-values-in-fields.html
To expand on this, since I recently ran into the very same issue. If you have a search time field extraction and an event that should contain the field but doesn't, you can't do a search for fieldname=""
because the field doesn't get extracted if it's not there.
But if you search for events that should contain the field and want to specifically find events that don't have the field set, the following worked for me (the index/sourcetype combo should always have fieldname set in my case):
index=myindex sourcetype=mysourcetype NOT fieldname=*
All of which is a long way of saying make sure you include search criteria that should always find events with that field set.
Old question, but isnull does work for me. These two searches are equivalent:
index=cers A_Number=04* | where isnull(MoLiIn)
index=cers A_Number=04* NOT MoLiIn=*
hi hastrike,
use NOT field="*"
for more informations, follow this link:
https://answers.splunk.com/answers/28197/how-do-i-search-for-event-with-null-values-in-fields.html
so if you wanted to search for two fields such as NULL and inuse would it be something like this:
NOT dv_install_status="*" OR dv_install_status="In use" ?
"In use"
is a value of *
just write NOT dv_install_status="*"
We just want to find all the fields with In use as the event or if the field is null. Won't this find any event with the * since that is thee wild card?
NOT dv_install status = "*" will find all the events wherethe value of the field dv_install_status is empty or zero.
try and see the results because I have already used this option
thanks, don't forget to vote
The isnull should work fine, if you're able to use fillnull
. Could you post the search that you tried with fillnull
?
I am actually asking on behalf of co-worker. We would like not have to fill in the blank space we just want to find all the fields where it is blank. IsNull didn't seem to be working. The only thing he seemed to be able to use is fillnull (| fillnull value="Blank" dv_install_status) then then search for the field where it said blank. Is there any way to search for blank fields with out doing fill null?
If the fillnull is working, I would give this a try
your base search | where isnull(dv_install_status)
so just checking is that searching field dv_install_status for any fields that is null?
It's just selecting events where dv_install_status is null.