Splunk Search

splunk search language

kenchisho
Path Finder

Hi guys...

I have been working on a few splunk apps during the last 6 months... in that time i have ran into a peculiar problem a couple of times... the problem being the folowing:

when i use a search like:

index="index" sourcetype="sourcertype" field1="*" field2="*"

I expect all the results because i am not filtering anything... but instead i get only a small fraction of the indexed logs...

when i use the same search only writted differently like so:

index="index" sourcetype="sourcertype" NOT (field1!="*" field2!="*")

I get all the indexed data as expected...

Has anyone else ran into this or is it just me?

and

Has anyone found a solution to this besides rewriting the search to say the exactly the same thing...

Tags (1)
0 Karma
2 Solutions

ziegfried
Influencer
field1="*"

will filter and return all events where field1 is present.

View solution in original post

0 Karma

khodges_splunk
Splunk Employee
Splunk Employee

Exactly, and so you might ask why your second search works. Well, here's why:

field=* returns all events that have a value in that field; i.e. NOT NULL

So, you might expect that field!=* would return all events where there is not a value in the specified field i.e. NULL. But, that is not the case.

The way to search for NULL values is with:
NOT field=*

Go ahead and test a search with field!=* and you will get 0 matching results. This appears to be an exception to where NOT and ! do not return the same results. Or, I'm not understanding the difference clearly enough.

So, in your example your field=* term was in fact filtering out events. Specifically those that don't have a value in the specified field. (You might want to investigate why that is the case if it is not what you are expecting).

In your second example when you negate field!=* (which returns 0 results) with NOT field!=* you get all results.

It seems like in your example you just need to use index="index" and sourcetype="sourcetype"

I hope this helps.

View solution in original post

0 Karma

khodges_splunk
Splunk Employee
Splunk Employee

Exactly, and so you might ask why your second search works. Well, here's why:

field=* returns all events that have a value in that field; i.e. NOT NULL

So, you might expect that field!=* would return all events where there is not a value in the specified field i.e. NULL. But, that is not the case.

The way to search for NULL values is with:
NOT field=*

Go ahead and test a search with field!=* and you will get 0 matching results. This appears to be an exception to where NOT and ! do not return the same results. Or, I'm not understanding the difference clearly enough.

So, in your example your field=* term was in fact filtering out events. Specifically those that don't have a value in the specified field. (You might want to investigate why that is the case if it is not what you are expecting).

In your second example when you negate field!=* (which returns 0 results) with NOT field!=* you get all results.

It seems like in your example you just need to use index="index" and sourcetype="sourcetype"

I hope this helps.

0 Karma

JoeSco27
Communicator

I am running into the same problem, can you share the eval command you ran to write NULL in the empty fields?

0 Karma

kenchisho
Path Finder

Thank you also for the quick answer...

i can't just use index and sourcetype because i run postprocess searches on the results and i get nothing unless i specify the fields=*...

using the NOT != is a bit messy...

i resolved my issue by using eval to write "NULL" into the empty fields.

Again thanks for the help.

0 Karma

ziegfried
Influencer
field1="*"

will filter and return all events where field1 is present.

0 Karma

kenchisho
Path Finder

Thanks for the quick answer.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...