Splunk Search

How can I search for a missing field?

hulahoop
Splunk Employee
Splunk Employee

Let's say I have events A and B:

A -- Feb 1 2010 10:10:00 field1=foo field2=bar
B -- Feb 1 2010 10:10:01 field1=foo

How can I find all events where field2 is missing (essentially event B in this tiny example)?

Tags (2)
1 Solution

hulahoop
Splunk Employee
Splunk Employee

Ok, so I tried a few things, and this is what ended up working:

NOT field2=*

It would be more intuitive if this worked also:

field2=""

View solution in original post

support0
Path Finder

fillnull field2 | search field2=0

0 Karma

dinh
Path Finder

You can do this on your search:

| where isnull(field2)

gkanapathy
Splunk Employee
Splunk Employee

Note that using

field2!=*

will not work either. This will never return any events, as it will always be false. This means that field2!=* and NOT field2=* are not entirely equivalent. In particular, in the case where field2 doesn't exist, the former is false, while the latter is true.

gkanapathy
Splunk Employee
Splunk Employee

Well, I guess it depends what you mean by "logically equivalent", but there is a difference in meaning regardless of how Splunk treats them.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

No they are not logically equivalent. There is a difference between being empty, and not existing.

hulahoop
Splunk Employee
Splunk Employee

It seems like they are logically equivalent, but Splunk does not treat them so. Is that a fair statement?

0 Karma

hulahoop
Splunk Employee
Splunk Employee

Ok, so I tried a few things, and this is what ended up working:

NOT field2=*

It would be more intuitive if this worked also:

field2=""

leonjxtan
Path Finder

the first code works; the second code doesn't.

0 Karma

otman01
Communicator

it works thank you all , have a nice day

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Yes, it can happen.

0 Karma

hulahoop
Splunk Employee
Splunk Employee

hey k8to, i'm just wondering if it can actually happen, and if splunk would behave consistently.

0 Karma

jrodman
Splunk Employee
Splunk Employee

It's a valid state of a field.
You can get there with regex extractions.

Do you mean that this is an undesirable thing?

hulahoop
Splunk Employee
Splunk Employee

yes, but in splunk land, would a field ever exist and be empty?

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

field2="" means something very different. It means that field2 exists, but has an empty string value.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...