Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why does isnotnull command return true for blank Country field added by iplocation?

frbuser
Path Finder
‎09-05-2019 12:26 PM

I am using the iplocation command on an IP based field to add new fields to each event, most importantly the Country field. I want to then filter the output to only entries where the Country field is not blank. I tried using: 

Country=*

but entries with blank values still are returned.

I also tried using: 

isnotnull(Country)

but it returns true where the field is clearly blank. Can anyone explain this behavior?

My query:

index::proxy host::proxyhost sourcetype::bcoat_log 
| regex cs_host="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" 
| top cs_host limit=0 
| iplocation cs_host 
| search Country=*
| eval null=if(isnotnull(Country),"true","false")
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-05-2019 01:31 PM

Country=* searches for all values of Country, including blank. To find non-blank values, try NOT Country = "".

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

frbuser
Path Finder
‎09-05-2019 02:04 PM

@richgalloway Entries with blank values still show up with that.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-05-2019 02:17 PM

So it does. Sorry about that. Try where instead as in this run-anywhere example:

| makeresults annotate=t 
| eval cs_host="8.8.8.8" 
| iplocation cs_host 
| where isnotnull(Country)
---
If this reply helps you, Karma would be appreciated.
Reply

frbuser
Path Finder
‎09-09-2019 10:15 AM

@richgalloway where also does not work. Per my original question, the problem is that the isnotnull() function is returning true for some fields that are blank.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-09-2019 10:46 AM

Blank is not the same as null so isnotnull(blank) is correct.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

frbuser
Path Finder
‎09-09-2019 10:58 AM

@richgalloway what is isnotnull(blank)?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-11-2019 05:17 AM

By that I mean a field with blanks for a value is not null. Therefore, isnotnull() will correctly return true for that field.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

starcher
Influencer
‎09-09-2019 10:53 AM

I agree an empty string is not a NULL which is absence of any value. You can do an isnotnull or Len = 0

0 Karma
Reply

frbuser
Path Finder
‎09-09-2019 11:01 AM

@starcher how do you check that the len of a field is not 0?

0 Karma
Reply

starcher
Influencer
‎09-09-2019 11:03 AM

https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/TextFunctions

0 Karma
Reply

frbuser
Path Finder
‎09-09-2019 11:21 AM

@starcher eval length=len(Country) doesn't return any numeric value for some fields that have no visible value. These appear to be the null values. If I combine isnotnull(Country) AND NOT len(Country)=0 this appears to work.

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top