Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Handling empty fields in format command

ceedwlt
Explorer
‎09-14-2015 07:57 AM

I have a search that uses a subsearch to filter out certain kinds of logs. I'm using the format command to create the filter list for the base search, as so: 

<base search> | where NOT [<subsearch> | fields <field> | format]

Everything works fine until there's a time period where there's nothing that needs filtering. Instead, format simply returns NOT () which causes the base search to fail with this message:

Error in 'where' command: The 'not' function is unsupported or undefined.

Is there a standard way to handle this situation? I've tried using fillnull with no success.

Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-14-2015 11:22 AM

Just replace "| where" by "| search" and it should work fine.

<query> | search NOT [<sub-query> | fields <field> | format]

See this run anywhere sample search

index=_internal  earliest=-15m  | head 100 | search NOT [ search index=_internal32454  earliest=-15m | head 1| table sourcetype | makemv sourcetype | mvexpand sourcetype | format ]| stats count by sourcetype

Replace search by where to check that your error is replicated

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-14-2015 12:59 PM

Get rid of the | where and it should work fine.

Reply
Solved! Jump to solution

ceedwlt
Explorer
‎09-15-2015 07:50 AM

This also works, I didn't have time to check it earlier. Thanks!

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-14-2015 11:22 AM

Just replace "| where" by "| search" and it should work fine.

<query> | search NOT [<sub-query> | fields <field> | format]

See this run anywhere sample search

index=_internal  earliest=-15m  | head 100 | search NOT [ search index=_internal32454  earliest=-15m | head 1| table sourcetype | makemv sourcetype | mvexpand sourcetype | format ]| stats count by sourcetype

Replace search by where to check that your error is replicated

Reply
Solved! Jump to solution

ceedwlt
Explorer
‎09-15-2015 02:09 AM

Perfect, that solved it - thanks!

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-15-2015 07:27 AM

As my solution indicates, you should not need either clause.

0 Karma
Reply
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...