Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why does isnotnull command return true for blank Country field added by iplocation?

frbuser
Path Finder
‎09-05-2019 12:26 PM

I am using the iplocation command on an IP based field to add new fields to each event, most importantly the Country field. I want to then filter the output to only entries where the Country field is not blank. I tried using: 

Country=*

but entries with blank values still are returned.

I also tried using: 

isnotnull(Country)

but it returns true where the field is clearly blank. Can anyone explain this behavior?

My query:

index::proxy host::proxyhost sourcetype::bcoat_log 
| regex cs_host="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" 
| top cs_host limit=0 
| iplocation cs_host 
| search Country=*
| eval null=if(isnotnull(Country),"true","false")
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-05-2019 01:31 PM

Country=* searches for all values of Country, including blank. To find non-blank values, try NOT Country = "".

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

frbuser
Path Finder
‎09-05-2019 02:04 PM

@richgalloway Entries with blank values still show up with that.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-05-2019 02:17 PM

So it does. Sorry about that. Try where instead as in this run-anywhere example:

| makeresults annotate=t 
| eval cs_host="8.8.8.8" 
| iplocation cs_host 
| where isnotnull(Country)
---
If this reply helps you, Karma would be appreciated.
Reply

frbuser
Path Finder
‎09-09-2019 10:15 AM

@richgalloway where also does not work. Per my original question, the problem is that the isnotnull() function is returning true for some fields that are blank.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-09-2019 10:46 AM

Blank is not the same as null so isnotnull(blank) is correct.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

frbuser
Path Finder
‎09-09-2019 10:58 AM

@richgalloway what is isnotnull(blank)?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-11-2019 05:17 AM

By that I mean a field with blanks for a value is not null. Therefore, isnotnull() will correctly return true for that field.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

starcher
Influencer
‎09-09-2019 10:53 AM

I agree an empty string is not a NULL which is absence of any value. You can do an isnotnull or Len = 0

0 Karma
Reply

frbuser
Path Finder
‎09-09-2019 11:01 AM

@starcher how do you check that the len of a field is not 0?

0 Karma
Reply

starcher
Influencer
‎09-09-2019 11:03 AM

https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/TextFunctions

0 Karma
Reply

frbuser
Path Finder
‎09-09-2019 11:21 AM

@starcher eval length=len(Country) doesn't return any numeric value for some fields that have no visible value. These appear to be the null values. If I combine isnotnull(Country) AND NOT len(Country)=0 this appears to work.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...