Splunk Search

How do you see events where a variable's value is null?

pjdwyer
Explorer

I am trying to see the events that have null values for a variable called 'Issuer', but I can't seem to find a way to make this work.

Here are examples of what I have tried:

| where isnull(Issuer)
| search Issuer!="*"
| search Issuer!="A*" AND Issuer!="B*"... AND Issuer!="Z*"
| search NOT Issuer=*

Without any of these the variable is present in about 95% of the events, I know that from clicking on the field 'Issuer' on the left hand side of the search.

All three of those lines return nothing when used on their own.

One odd thing is that if I do this:

| search Issuer!="I*"

It will say that the variable is in every event, but if I try this:

| search Issuer="I*"

This also says the variable is in every event.

I do not know why this is happening so if anyone has any suggestions as to how I should go about finding these null variables please let me know. Thank you.

0 Karma
1 Solution

pjdwyer
Explorer

The problem had something to do with the rex command. This was my rex command:
| rex field=_raw "Issuer=\"(?.+)\";File"

Some of the variables around the Issuer variable just were not being caught, but when I changed it to this:
| rex field=_raw "Issuer=(?.+);File"

Everything gets caught. I believe this is a bug because I can have the '\"' on either side, but not both. I also tried using '\S' on both sides and that also does not capture everything. It also is not an issue with the string being captured because looking at the stats I can see that the number of individual Issuers caught does not change, but the number each individual one appears gets lowered slightly.

View solution in original post

0 Karma

pjdwyer
Explorer

The problem had something to do with the rex command. This was my rex command:
| rex field=_raw "Issuer=\"(?.+)\";File"

Some of the variables around the Issuer variable just were not being caught, but when I changed it to this:
| rex field=_raw "Issuer=(?.+);File"

Everything gets caught. I believe this is a bug because I can have the '\"' on either side, but not both. I also tried using '\S' on both sides and that also does not capture everything. It also is not an issue with the string being captured because looking at the stats I can see that the number of individual Issuers caught does not change, but the number each individual one appears gets lowered slightly.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

When you say null values, does your raw data have field values as literal null OR just blank? Give this a try

your base search
| regex Issuer!=".+"
0 Karma

pjdwyer
Explorer

I don't know what the raw data for the field is when Splunk does not collect a value. I believe it is just blank though. The search you recommended brought up nothing. Thank you though.

0 Karma

pradeepkumarg
Influencer

Does this work?

| search NOT Issuer=*

0 Karma

pjdwyer
Explorer

No, I forgot to mention I tried that, sorry.

0 Karma

pradeepkumarg
Influencer
 | filnull value="NA" Issuer | search Issuer="NA" 
0 Karma

pjdwyer
Explorer

That one was new, but it also returned nothing.
I'm beginning to think Splunk is not treating the values as though they are null, but I don't know how to figure out how it is treating them.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...