Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I search for event with null values in fields

JChodagam
Splunk Employee
Splunk Employee
‎07-27-2011 04:07 PM

I'm trying to find all events in the logs that have no value in a field. What's the simplest query for that?

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

JChodagam
Splunk Employee
Splunk Employee
‎07-27-2011 04:12 PM

For instance, all events with NULL TicketId can be retrieved by -

sourcetype=mysql_config NOT TicketId="*"

View solution in original post

Reply
Solved! Jump to solution

siraj198204
Explorer
‎10-17-2014 10:10 AM

Hi,

i added | where len(sso_id)>0 this search with the above search ...

it is looks good ... working very good ...

Thank u ...

0 Karma
Reply
Solved! Jump to solution

Kwip
Contributor
‎12-19-2017 09:20 AM

I downvoted this post because by mistake

0 Karma
Reply
Solved! Jump to solution

siraj198204
Explorer
‎10-17-2014 09:08 AM

Hi ,

index =casm_prod source =/opt/siteminder/log/smtracedefault.log sourcetype=smtrace supportcentral | rex "([[^]]]){10}[(?P[^]])]" |dedup sso_id | lookup identity_lookup sso as sso_id OUTPUT sso as matched_sso |where matched_sso!="NonNbcAccount"

This is working good ,

output ,

10/17/14
12:04:48.549 PM
example 1

[10/17/2014][09:04:48.549][1041173424][s1206273/r789][Supportcentral Internal][][][][][][127004108][][][][][][supportcentralalpcispweb536vprd][** Status: Authorized. ][]
host =useclpapl894.nbcuni.ge.com
matched_sso =127004108
source =/opt/siteminder/log/smtracedefault.log
sourcetype =smtrace
sso_id =127004108

example 1 is correct ..

10/17/14
12:04:48.547 PM

example 2 ,

[10/17/2014][09:04:48.547][1041173424][][][SupportCentral allow access][NBCU SC_Lib_Allow_Policy][][][][][][][][][][][Policy is applicable. Rule is applicable. Get Responses.][]
host =useclpapl894.nbcuni.ge.com
matched_sso ="NonNbcAccount"
source =/opt/siteminder/log/smtracedefault.log
sourcetype =smtrace
sso_id =

in example 2 is having null value , the 11th field is null [] ... but it is returning that value also ...

actually i dont want null value ..

0 Karma
Reply
Solved! Jump to solution
Solution

JChodagam
Splunk Employee
Splunk Employee
‎07-27-2011 04:12 PM

For instance, all events with NULL TicketId can be retrieved by -

sourcetype=mysql_config NOT TicketId="*"

Reply
Solved! Jump to solution

JoeSco27
Communicator
‎09-06-2013 11:51 AM

for example if you don't want "value OR value" you can use:
key!="value OR value" , the explanation point "bang" does the same function as the NOT

0 Karma
Reply
Solved! Jump to solution

sbsbb
Builder
‎04-25-2013 12:33 AM

Is there another way, to search null without "NOT" ?
I user Sideview and Pulldowns with "+OR+" Separator... so the output from the pulldown for the underlying search is key="value OR value" I can't use NOT there...

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...