Solved: is "-" equals to Null

xvxt006 · ‎07-31-2013

Hi,

In another thread i have asked about if there is a way to identify if a particular cookie not being sent at all in the request. i got the below answer.

Is there a field like cookie= available? if so, look for "cookie=*" to get all answers with "cookie=" in the event. Then you can check " ...| eval isnull(cookie)" to see what entries have nothing set for cookie.

we ran a test to see how splunk displays when we don't send a cookie at all. We sent three HTTP requests, (1) Cookie=WEB (2) Cookie= (3) no Cookie. For #2 and #3 both of these result in the same result of "-".

So how do we find if the cookie is not sent or if the cookie is sent but no value in splunk.

lukejadamec · ‎07-31-2013

The "-" is inserted by web logger as a place holder when there is no value.
Splunk puts the "-" in the field because that is what is in the log. Splunk will have no way of differentiating between cookie=null and no cookie.

View solution in original post

lukejadamec · ‎07-31-2013

The "-" is inserted by web logger as a place holder when there is no value.
Splunk puts the "-" in the field because that is what is in the log. Splunk will have no way of differentiating between cookie=null and no cookie.

xvxt006 · ‎07-31-2013

Thank you.

is "-" equals to Null

New This Month - Splunk Observability updates and improvements for faster ...

What's New in Splunk Cloud Platform 9.3.2411?

Buttercup Games: Further Dashboarding Techniques (Part 6)