Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why does isnotnull command return true for blank Country field added by iplocation?

frbuser
Path Finder
‎09-05-2019 12:26 PM

I am using the iplocation command on an IP based field to add new fields to each event, most importantly the Country field. I want to then filter the output to only entries where the Country field is not blank. I tried using: 

Country=*

but entries with blank values still are returned.

I also tried using: 

isnotnull(Country)

but it returns true where the field is clearly blank. Can anyone explain this behavior?

My query:

index::proxy host::proxyhost sourcetype::bcoat_log 
| regex cs_host="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" 
| top cs_host limit=0 
| iplocation cs_host 
| search Country=*
| eval null=if(isnotnull(Country),"true","false")
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-05-2019 01:31 PM

Country=* searches for all values of Country, including blank. To find non-blank values, try NOT Country = "".

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

frbuser
Path Finder
‎09-05-2019 02:04 PM

@richgalloway Entries with blank values still show up with that.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-05-2019 02:17 PM

So it does. Sorry about that. Try where instead as in this run-anywhere example:

| makeresults annotate=t 
| eval cs_host="8.8.8.8" 
| iplocation cs_host 
| where isnotnull(Country)
---
If this reply helps you, Karma would be appreciated.
Reply

frbuser
Path Finder
‎09-09-2019 10:15 AM

@richgalloway where also does not work. Per my original question, the problem is that the isnotnull() function is returning true for some fields that are blank.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-09-2019 10:46 AM

Blank is not the same as null so isnotnull(blank) is correct.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

frbuser
Path Finder
‎09-09-2019 10:58 AM

@richgalloway what is isnotnull(blank)?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-11-2019 05:17 AM

By that I mean a field with blanks for a value is not null. Therefore, isnotnull() will correctly return true for that field.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

starcher
Influencer
‎09-09-2019 10:53 AM

I agree an empty string is not a NULL which is absence of any value. You can do an isnotnull or Len = 0

0 Karma
Reply

frbuser
Path Finder
‎09-09-2019 11:01 AM

@starcher how do you check that the len of a field is not 0?

0 Karma
Reply

starcher
Influencer
‎09-09-2019 11:03 AM

https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/TextFunctions

0 Karma
Reply

frbuser
Path Finder
‎09-09-2019 11:21 AM

@starcher eval length=len(Country) doesn't return any numeric value for some fields that have no visible value. These appear to be the null values. If I combine isnotnull(Country) AND NOT len(Country)=0 this appears to work.

0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...

Getting Started with Splunk Artificial Intelligence, Insights for Nonprofits, and ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Observability Cloud’s AI Assistant in Action Series: Identifying Unknown ...

Agentic AI powers the Splunk AI Assistant within the Splunk Observability Cloud interface to help you quickly ...
Top