Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does isnotnull command return true for blank Country field added by iplocation?

frbuser
Path Finder
‎09-05-2019 12:26 PM

I am using the iplocation command on an IP based field to add new fields to each event, most importantly the Country field. I want to then filter the output to only entries where the Country field is not blank. I tried using: 

Country=*

but entries with blank values still are returned.

I also tried using: 

isnotnull(Country)

but it returns true where the field is clearly blank. Can anyone explain this behavior?

My query:

index::proxy host::proxyhost sourcetype::bcoat_log 
| regex cs_host="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" 
| top cs_host limit=0 
| iplocation cs_host 
| search Country=*
| eval null=if(isnotnull(Country),"true","false")
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-05-2019 01:31 PM

Country=* searches for all values of Country, including blank. To find non-blank values, try NOT Country = "".

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

frbuser
Path Finder
‎09-05-2019 02:04 PM

@richgalloway Entries with blank values still show up with that.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-05-2019 02:17 PM

So it does. Sorry about that. Try where instead as in this run-anywhere example:

| makeresults annotate=t 
| eval cs_host="8.8.8.8" 
| iplocation cs_host 
| where isnotnull(Country)
---
If this reply helps you, Karma would be appreciated.
Reply

frbuser
Path Finder
‎09-09-2019 10:15 AM

@richgalloway where also does not work. Per my original question, the problem is that the isnotnull() function is returning true for some fields that are blank.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-09-2019 10:46 AM

Blank is not the same as null so isnotnull(blank) is correct.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

frbuser
Path Finder
‎09-09-2019 10:58 AM

@richgalloway what is isnotnull(blank)?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-11-2019 05:17 AM

By that I mean a field with blanks for a value is not null. Therefore, isnotnull() will correctly return true for that field.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

starcher
Influencer
‎09-09-2019 10:53 AM

I agree an empty string is not a NULL which is absence of any value. You can do an isnotnull or Len = 0

0 Karma
Reply

frbuser
Path Finder
‎09-09-2019 11:01 AM

@starcher how do you check that the len of a field is not 0?

0 Karma
Reply

starcher
Influencer
‎09-09-2019 11:03 AM

https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/TextFunctions

0 Karma
Reply

frbuser
Path Finder
‎09-09-2019 11:21 AM

@starcher eval length=len(Country) doesn't return any numeric value for some fields that have no visible value. These appear to be the null values. If I combine isnotnull(Country) AND NOT len(Country)=0 this appears to work.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...