Splunk Search

Why does isnotnull command return true for blank Country field added by iplocation?

Path Finder

I am using the iplocation command on an IP based field to add new fields to each event, most importantly the Country field. I want to then filter the output to only entries where the Country field is not blank. I tried using:

Country=* 

but entries with blank values still are returned.

I also tried using:

isnotnull(Country) 

but it returns true where the field is clearly blank. Can anyone explain this behavior?

My query:

index::proxy host::proxyhost sourcetype::bcoat_log 
| regex cs_host="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" 
| top cs_host limit=0 
| iplocation cs_host 
| search Country=*
| eval null=if(isnotnull(Country),"true","false")
0 Karma

SplunkTrust
SplunkTrust

Country=* searches for all values of Country, including blank. To find non-blank values, try NOT Country = "".

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Path Finder

@richgalloway Entries with blank values still show up with that.

0 Karma

SplunkTrust
SplunkTrust

So it does. Sorry about that. Try where instead as in this run-anywhere example:

| makeresults annotate=t 
| eval cs_host="8.8.8.8" 
| iplocation cs_host 
| where isnotnull(Country)
---
If this reply helps you, an upvote would be appreciated.

Path Finder

@richgalloway where also does not work. Per my original question, the problem is that the isnotnull() function is returning true for some fields that are blank.

0 Karma

SplunkTrust
SplunkTrust

Blank is not the same as null so isnotnull(blank) is correct.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Path Finder

@richgalloway what is isnotnull(blank)?

0 Karma

SplunkTrust
SplunkTrust

By that I mean a field with blanks for a value is not null. Therefore, isnotnull() will correctly return true for that field.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

SplunkTrust
SplunkTrust

I agree an empty string is not a NULL which is absence of any value. You can do an isnotnull or Len = 0

0 Karma

Path Finder

@starcher how do you check that the len of a field is not 0?

0 Karma

SplunkTrust
SplunkTrust
0 Karma

Path Finder

@starcher eval length=len(Country) doesn't return any numeric value for some fields that have no visible value. These appear to be the null values. If I combine isnotnull(Country) AND NOT len(Country)=0 this appears to work.

0 Karma