Solved: Missing field detection

sranga · ‎05-18-2010

Hi

I was wondering if there was a way to search for logs that don't have a specific field in them.
If I have the following log file:

id=112233,type=a,message=b,name=ewr,status=404  
id=2233,type=b,message=b,name=rrr  
id=434343,type=c,message=b,name=ooo,status=200  
id=6556,type=d,message=b,name=ppp

How do I get lines 2 & 4 in my search (since they don't have the status field)?
Thanks for your help.

Ranga

Lowell · ‎05-18-2010

You want to use the search expression:

NOT status="*"

Keep in mind that this is not equivalent to:

status!="*"

I recommend looking at this related question for additional explanation on this: How can I search for a missing field?

I should also point out that if the word "status" is part of the event (as shown in your example), then you could simply search like this:

NOT status

Which could be faster since "status" would be a term in the index, which is a faster operation than comparing an extracted field. (Although, with a small number of events you may not notice the difference.)

View solution in original post

Lowell · ‎05-18-2010

You want to use the search expression:

NOT status="*"

Keep in mind that this is not equivalent to:

status!="*"

I recommend looking at this related question for additional explanation on this: How can I search for a missing field?

I should also point out that if the word "status" is part of the event (as shown in your example), then you could simply search like this:

NOT status

Which could be faster since "status" would be a term in the index, which is a faster operation than comparing an extracted field. (Although, with a small number of events you may not notice the difference.)

Missing field detection

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services