I am using the iplocation
command on an IP based field to add new fields to each event, most importantly the Country field. I want to then filter the output to only entries where the Country field is not blank. I tried using:
Country=*
but entries with blank values still are returned.
I also tried using:
isnotnull(Country)
but it returns true where the field is clearly blank. Can anyone explain this behavior?
My query:
index::proxy host::proxyhost sourcetype::bcoat_log
| regex cs_host="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
| top cs_host limit=0
| iplocation cs_host
| search Country=*
| eval null=if(isnotnull(Country),"true","false")
Country=*
searches for all values of Country, including blank. To find non-blank values, try NOT Country = ""
.
@richgalloway Entries with blank values still show up with that.
So it does. Sorry about that. Try where
instead as in this run-anywhere example:
| makeresults annotate=t
| eval cs_host="8.8.8.8"
| iplocation cs_host
| where isnotnull(Country)
@richgalloway where
also does not work. Per my original question, the problem is that the isnotnull()
function is returning true for some fields that are blank.
Blank is not the same as null so isnotnull(blank)
is correct.
@richgalloway what is isnotnull(blank)
?
By that I mean a field with blanks for a value is not null. Therefore, isnotnull()
will correctly return true
for that field.
I agree an empty string is not a NULL which is absence of any value. You can do an isnotnull or Len = 0
@starcher how do you check that the len of a field is not 0?
@starcher eval length=len(Country)
doesn't return any numeric value for some fields that have no visible value. These appear to be the null values. If I combine isnotnull(Country) AND NOT len(Country)=0
this appears to work.