Writing a regular expression to capture null value...

mahbs · ‎01-03-2018

Hi,

I've got fields which contain null values. I'm writing a regular expression to capture instances where fields contain null values.

This is what I have, but it's not working.
^(^.){0}$
I'm trying to say in this expression, looking something that's empty. But as mentioned before, it's not working. I'm not too sure how null works in splunk.

Could someone please help me with this?

Thanks
Mahbs

micahkemp · ‎01-03-2018

Do you want to find events like:

fieldyoucareabout= otherfield1=value1 otherfield2=value2

Or instead:

otherfield1=value1 otherfield2=value2

elliotproebstel · ‎01-03-2018

Have you tried using your base search | where isnull(fieldname) syntax rather than regular expressions? You can use this to find events with null values for any number of fields by chaining them like this: your base search | where isnull(fieldname) OR isnull(field2name)...

niketn · ‎01-03-2018

@mahbs, can you add sample events and also your current code using the code button (101010) on Splunk Answers, so that special characters do not escape?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Writing a regular expression to capture null values

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation