Splunk Search

For a field extracted at index-time, is there a way to put a default value such as "Empty" instead of having no field?

Super_Knulps
Explorer

Hello,

I have a field that is extracted at index-time if it matches a specific regexp.
However, in some cases, the extracted field is empty and therefore the field is NULL.

I would like to put a default value (basic string such as "Empty") instead of having no field.
Is there a way to do it using parameters in the configuration files or maybe using the regular expression ?

Basically I am doing this in most of my searches:

> my_field = $variable$
>

And I want to search:

>myfield = null()

Without modifying the "my_field = something" since this is templated.

Thank you very much !

0 Karma
1 Solution

rsennett_splunk
Splunk Employee
Splunk Employee

There is a parameter you can add to your transforms stanza so that if there is no value to hold, the field just doesn't exist.

KEEP_EMPTY_VALS = [true|false]

it sounds like you've set it to true, or that something has set that as the default (it defaults to false, so you should have no field if there is no value)

Then you begin your search with nameofindexfield=* and Splunk will work on only events where the field exists.

If you want the field to exist with a value, then fillnull or coalesce would be the way to go at search time (they are Search Language commands)

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

rsennett_splunk
Splunk Employee
Splunk Employee

There is a parameter you can add to your transforms stanza so that if there is no value to hold, the field just doesn't exist.

KEEP_EMPTY_VALS = [true|false]

it sounds like you've set it to true, or that something has set that as the default (it defaults to false, so you should have no field if there is no value)

Then you begin your search with nameofindexfield=* and Splunk will work on only events where the field exists.

If you want the field to exist with a value, then fillnull or coalesce would be the way to go at search time (they are Search Language commands)

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

Super_Knulps
Explorer

Yes actually I would like the field to exist.
I would like to do > myfield=something at the beginning of my search and to avoid doing more operations.

If I use fillnull this means that I will have do to this :
| fillnull myfield | search myfield="0" | eval myfield= if(myfield="0","Empty", myfield) | ...
Which is really not the point.

0 Karma

woodcock
Esteemed Legend

You are mistaken, you can do something like this:

... | fillnull value="Empty" myfield | ...

Which, if I am not mistaken, is totally the point.

0 Karma

Super_Knulps
Explorer

Okay thank you woodcock, I understand what you mean.
My problem is that my search is templated and generated by Chef: it is following this format:
> myfield = $variable$

So there will always be a static part: "> myfield = " . In my case, this would works:

> myfield = * OR NOT myfield | fillnull value="Empty" myfield | search myfield="Empty"

But this is not pretty.
Anyway I think I will do this for now if there is no work around.

0 Karma

woodcock
Esteemed Legend

So you accept my unpretty answer?

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

myfield=* means pull only events where myfield exists. In other words, the FIELD (not the value)

NOT myfield=* means pull only events where the field does NOT exist

In your case, as you said you always have the field, but sometimes it contains NULL
That's why woodcock is focusing on the fillnull because that's all you need... OR NOT myfield is gibberish to Splunk.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

woodcock
Esteemed Legend

Do this at search time with fillnull (also see coalesce command).

Super_Knulps
Explorer

This is a good idea but I don't want other operations since I really would like to keep myfield=something at the beginning of my search. Something like myfield=null() would be perfect and I really want to avoid:
| fillnull myfield | search myfield="0" | eval myfield= if(myfield="0","Empty", myfield) | ...

which is very ugly.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...