All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to grab all the nulls from indexes?

AL3Z
Builder
‎01-24-2023 02:38 AM

Hi,

Could you provide me with the search query for one of my index es_splunk ,so that we can find all the null fields, regex case sensitive so it's only catching "null", all lower case, but they may ALL be that way anyway. Just mentioning for completeness... as well as there could be fields that are not "null" but simply an empty string. Those two cases should be checked if we want 100% coverage.

 

Thanks.

 

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-24-2023 03:54 AM

As others already said what do you mean by "null fields"?

If you mean that you need all fields which contain literal "null" string, that's quite easy

index=myindex null

 If you mean that all possible extractions which are not actually extracted from given events... well, that's kinda impossible. Since most extraction work is done in search-time you don't know beforehand what fields you are supposed to have in the events. Only if a field matches a certain regex a given fields are extracted so you don't have a pre-defined set of fields which should be extracted from events for comparison with the values really extracted.

Reply

scelikok
SplunkTrust
SplunkTrust
‎01-24-2023 03:15 AM

Hi @AL3Z,

@ITWhisperer 's solution should help you. If not below query provides us some samples,

index=es_splunk | head 10

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-24-2023 03:09 AM

Are you looking for all events where any field no value (is null), or any field has the text "null" in any combination of case, or has any field has an empty string? You could try something like this

index=es_splunk
| eval _flag=0
| foreach *
  [| eval _flag=if(isnull('<<FIELD>>') OR match('<<FIELD>>',"(?i)null") OR '<<FIELD>>'=="", 1, _flag)]
| where _flag != 0

 Having said that, is that really what you want to do? 😀

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-24-2023 02:58 AM

Hi @AL3Z,

Could you please share some samples?

You can make regex with case insensitive option but I need to see sample events to cover your second case,

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

AL3Z
Builder
‎01-24-2023 03:01 AM

@scelikok 

could you pls provide me the query to get the  events 

 

thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...