Writing a regular expression to capture null value...

mahbs · ‎01-03-2018

Hi,

I've got fields which contain null values. I'm writing a regular expression to capture instances where fields contain null values.

This is what I have, but it's not working.
^(^.){0}$
I'm trying to say in this expression, looking something that's empty. But as mentioned before, it's not working. I'm not too sure how null works in splunk.

Could someone please help me with this?

Thanks
Mahbs

micahkemp · ‎01-03-2018

Do you want to find events like:

fieldyoucareabout= otherfield1=value1 otherfield2=value2

Or instead:

otherfield1=value1 otherfield2=value2

elliotproebstel · ‎01-03-2018

Have you tried using your base search | where isnull(fieldname) syntax rather than regular expressions? You can use this to find events with null values for any number of fields by chaining them like this: your base search | where isnull(fieldname) OR isnull(field2name)...

niketn · ‎01-03-2018

@mahbs, can you add sample events and also your current code using the code button (101010) on Splunk Answers, so that special characters do not escape?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Writing a regular expression to capture null values

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

How to send events & findings from AWS to Splunk using Amazon EventBridge

Exciting News: The AppDynamics Community Joins Splunk!

Are you a member of the Splunk Community?

Writing a regular expression to capture null values

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

How to send events & findings from AWS to Splunk using Amazon EventBridge

Exciting News: The AppDynamics Community Joins Splunk!