Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Lookup could not display field value that is null

LeeZeeYuen
New Member
‎01-24-2018 01:57 AM

I have a field called "ipexist" in the dataset that have two values; empty(Which is defaulted as null in Splunk) and a string value.

I want to use lookup command to obtain two other fields but strangely some events that have null value for ipexist could not display the said two other fields. Below is the sample event with the said fields.
alt text

Above the image you can see the top event does not have "severity" and "severity_level" field but the two below have it. I would like to know how to still display the fields despite having a null value for "ipexist"

Edit;
Updated image since the first screenshot had some issues alt text

Update;
I forgot to mention that some events do not have the value "source_IP". The field "ipexist" uses "source_IP" as its value,

Tags (1)
Preview file
1 KB
0 Karma
Reply

493669
Super Champion
‎01-25-2018 12:44 AM

firstly we have made null 'ipexist' values into source_IP1 in both index as well as in lookup. and now we have join so it will join correctly and then we just change source_IP1 as source_IP while displaying....so i dont think it will give wrong output..

0 Karma
Reply

LeeZeeYuen
New Member
‎01-25-2018 12:58 AM

Ahhhh, I get it now. Haha sorry kinda slow had to googled what eval if statement does. Yeah the logic makes sense but apparently it is not displaying any of the field in the events

https://imgur.com/a/zctvw

0 Karma
Reply

493669
Super Champion
‎01-25-2018 01:10 AM 
index="printerlinuxlog"|eval ipexist=if(isnull(ipexist),"source_IP1",ipexist)|stats count by ipexist

Does this gives all ipexist field contain either source_IP1 or source_IP value?

0 Karma
Reply

LeeZeeYuen
New Member
‎01-25-2018 01:16 AM

Yes it does, the count match up to the total events
https://imgur.com/a/5IfRM

0 Karma
Reply

493669
Super Champion
‎01-25-2018 01:20 AM

ok ..now check for lookup count :

| inputlookup hp_message |stats count by ipexist
0 Karma
Reply

LeeZeeYuen
New Member
‎01-25-2018 01:25 AM

Here you go! It could only count source_IP that is contained in the lookup table
https://imgur.com/a/Ql0Jq

0 Karma
Reply

493669
Super Champion
‎01-25-2018 01:29 AM

but lookup has null 'ipexist' present which we have converted into source_IP1 but I am not able to see there

0 Karma
Reply

LeeZeeYuen
New Member
‎01-25-2018 01:33 AM

If I were to use the eval command you suggested, it would replace the the lookup's ipexist field for all the null value
https://imgur.com/a/Khu7p

0 Karma
Reply

493669
Super Champion
‎01-25-2018 02:00 AM

Now if you run :
| inputlookup hp_message |eval ipexist=if(isnull(ipexist),"source_IP1",ipexist)|outputlookup hp_message
it will store back to lookup.
then you should be able to join with outcome message and ipexist to get the output..
also I am assuming there is no null value in outcome and message field

0 Karma
Reply

493669
Super Champion
‎01-24-2018 10:35 PM

or do you want to replace severity_level and severity from lookup?

0 Karma
Reply

LeeZeeYuen
New Member
‎01-24-2018 10:37 PM

The OUTPUT was just trying to rename them. The values for the two fields will remain as it is from the dataset.

0 Karma
Reply

nabeel652
Builder
‎01-24-2018 05:51 PM 
<snip> | fillnull ipexist value=unknown | lookup yourlookup ipexits output yourfields | </snip>

Hope this would work.

0 Karma
Reply

LeeZeeYuen
New Member
‎01-24-2018 06:36 PM

I tried using fillnull before on "ipexist" but it would not display the other two output-ed lookup field

0 Karma
Reply

DalJeanis
Legend
‎01-24-2018 05:19 PM

probably the most direct way to deal with it would be to do something like this before your lookup...

| eval ipexist=coalesce(ipexist,"")

... and set up the lookup table itself to have a blank instead of a NULL.

0 Karma
Reply

LeeZeeYuen
New Member
‎01-24-2018 06:35 PM

Thank you for the suggestion but I tried it and it didn't work. The lookup table have blank value which Splunk comprehend it as italic null. The event would not display the the two output-ed fields. However, it did declare the null value of "ipexist" as blank.

This is the command used
alt text

The results:
alt text
Image shown that it display "ipexist=" but no signs of "severity" and "severity_level".

Thanks for the help!

0 Karma
Reply

niketn
Legend
‎01-24-2018 12:21 PM

@LeeZeeYuen, I think you would need to post your screenshot again for the community to help. You can upload to image sharing site and then add the link using image button while posting your comment/update to question.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

LeeZeeYuen
New Member
‎01-24-2018 04:41 PM

Ah sorry I didn't know the screenshot wasn't working. Thanks for the heads up!

0 Karma
Reply

p_gurav
Champion
‎01-24-2018 05:28 AM

Hi LeeZeeYuen,

Are you using ipexist field for mapping in lookup?

0 Karma
Reply

LeeZeeYuen
New Member
‎01-24-2018 04:40 PM

Yes the command used for lookup is

index="printerlinuxlog"
| lookup hp_message outcome as outcome message as message ipexist as ipexist OUTPUT siem_severity as severity_level syslog_severity as severity

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...