Splunk Search

How can I search for events that do not contain a field?

chris
Motivator

Hi

I have defined a field for different types of events, the field is recognized in all the events I want to see it. Most likely because the regex is not good enough yet. So I am interested in seeing all the events that do not contain the field I defined.

How do I search for events that do not contain a specific field?

Thanks

Chris

1 Solution

bwooden
Splunk Employee
Splunk Employee

If I want to find all events with a field named foo

* | where isnotnull(foo)

If I want to find all events without a field named foo

* | where isnull(foo)

View solution in original post

borisalves
Path Finder

| search foo="*"

bwooden
Splunk Employee
Splunk Employee

If I want to find all events with a field named foo

* | where isnotnull(foo)

If I want to find all events without a field named foo

* | where isnull(foo)

chris
Motivator

Cool thank you or the quick reply

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...