Splunk Search

Searching for the empty string

jwestberg
Splunk Employee
Splunk Employee

In a datasource that uses single quotes as the event delimiter, like so:

field1='value1' field2='value2' field3=''

Splunk will correctly extract value1 and value2 as just that, without the single quotes. Thus, I am able to find events that contain field1='value1' by running the search field="value1", that is, with double quotes.

Searching for field3='' works too, but the search field3="" fails.

Is there a setting that controls this somehow? Or do I really have to use different queries for different log types, if I want to search for an empty field value?

jrodman
Splunk Employee
Splunk Employee

Do you know what splunk thinks the value of the field is? What if you use exportcsv, what's in the field? That should narrow down the nature of the fail.

0 Karma

steveyz
Splunk Employee
Splunk Employee

My guess is that we aren't stripped the single quotes if the resulting values is empty. Therefore, the value for field3 that we store is literally ''. When it comes to searching for terms, ' is not a special character, but " is. So field3="" would search for event with a blank value for field3, but the way we extract it, it is not blank. Try using a manual regex to extract out the value of field3 and see if it works with that.

jwestberg
Splunk Employee
Splunk Employee

Ah fair enough. So the problem no longer is searching for the empty string, but rather how to extract it so that I can later search for it. Still seems like I can't get it done properly. I either end up with '' as a value with AUTO_KV set to auto and with AUTO_KV set to "none" it will simply not recognize that the event with the empty field have a field-value pair at all.

0 Karma

Marklar
Splunk Employee
Splunk Employee

Sure - so the value of error_message isn't empty. It's literally two single quotes. Extraction problem.

0 Karma

jwestberg
Splunk Employee
Splunk Employee

search: "error_message='' | eval x=len(error_message)" gives the value 2 for x. For the more eclectic 2-character delimiters I was using above, it gives 4.

0 Karma

Marklar
Splunk Employee
Splunk Employee

An easy way to test whether the field value is truly empty is to use eval or where. For example, "... | where len(field) > 0" or "... | eval length = len(field)"

0 Karma

jwestberg
Splunk Employee
Splunk Employee

As a test, I changed the delimiter completely to something Splunk would not understand by default, and set up a REGEX in transforms.conf to capture it. It captures all non-empty strings fine, but chokes on the empty string, even though the capture regex clearly captures the empty string if I run it manually over a field-value pair with an empty value field. The regex in question looks like this: REGEX = ([^\s]+)=°'(.*?)'°

0 Karma

araitz
Splunk Employee
Splunk Employee

The following would make the value blank:

 ...| replace '' with "" | ...

Or your could use field extractions instead of auto kv to make the empty field whatever you want; however, S&I will tell you that searching for field=value where "field=value" is actually in the raw event is much better.

I don't understand why field3="" would work unless the value was a literal double double-quote. What is the purpose of the actual search, maybe I could help more?

Lowell
Super Champion

What about this: ... | replace "'*'" with "*" | ... This has the advantage that it should strip out all the leading and trailing single-quotes for empty and non-empty fields.

0 Karma

jwestberg
Splunk Employee
Splunk Employee

In my case, I have Splunk indexing a log which contains the state changes of a type of object. That object will have certain fields that change over time, and the empty string is a perfectly valid value for these fields to assume.

One field in particular will when set to the empty string signify an important change in the object, and the most convenient way of finding that state is to search for when that field value assumes the empty string.

I am unsure if |replace is a good idea here, both due to performance and the fact that I'd need to reuse the trick manually if the need ever reappears

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...