Re: Find null values in multivalue fields

luna · ‎03-25-2021

Hello,

Need to find null values from multivalue field. I am using mvcount to get all the values I am interested for the the events field I have filtered for. However, I get all the events I am filtering for. What I am really after is seeing where event=A is null. Would like to see event output the value that is null, like: Null, B, C, D wherever A is null. Any suggestions?

| index="dc_green_idx" event=A OR event=B OR event=C OR event=D

| eval Unsupp=case(event="A", TimeSubmitted)

| eval BUnsupp=if(isnull(Unsupp),"yes","no")

| stats  latest(TimeSubmitted) as TimeSubmitted  values(event) as event max(BUnsupp) as BUnsupp by invite | sort -TimeSubmitted

| where mvcount(event)>3 AND isnull(Unsupp)

ITWhisperer · ‎03-25-2021

Unsupp is not passed through the stats command so will always be null - if all 4 event types are present, mvcount will be > 3 i.e. A was present (and not null). You need to pass Unsupp through stats (values(Unsupp) as Unsupp) and you need to be looking for results where mvcount < 4

luna · ‎03-25-2021

@ITWhisperer

I would like where I at least have two event values, because the second value is dependent on the third. So at least I should see event=b and event=c I think mvcount >=2 would do it, since I can at least get the 2 values then if I’m missing event=a from those 2 I know a is null... is my thought process correct?

ITWhisperer · ‎03-25-2021

That sounds a good approach

Find null values in multivalue fields

eval

fields

other

stats

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!