Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

field value appears to be null

wtaylor149
Explorer
‎01-13-2021 02:02 PM

I'm running a search (below) that has results that sometimes in certain fields will display in the gui as empty (null) but aren't.  We I export the results I see "" as the value in the field.  I've tried several things to populate this field with data so I can search on it but I've had no luck.  Any thoughts / guidance is greatly appreciated.

search string:

| rest /servicesNS/-/-/saved/searches | where disabled=0 AND splunk_server="some_server"

| fillnull value=na next_scheduled_time

 

When I export the results and open in notepad, results are below:

title,"cron_schedule","dispatch.earliest_time","dispatch.latest_time","alert.expires","next_scheduled_time",action

"Access - Distinct Sources","","-48h@h",now,24h,"",
"Access - Distinct Users","","-48h@h",now,24h,"",

0 Karma
Reply

wtaylor149
Explorer
‎01-13-2021 02:27 PM

This may be kind of crazy but it works:

| rest /servicesNS/-/-/saved/searches | where disabled=0 AND splunk_server="my_splunk_server"
| eval n=strptime(next_scheduled_time, "%Y-%m-%d %H:%M:%S %Z")
| eval y=if(isnum(n), "yes", "no")
| search y="yes"
| table next_scheduled_time n y

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...