In Microsoft IIS logs, when a field is empty, a dash ( - ) is used instead of leaving the value blank. Presumably this is because IIS logs are space delimited, so otherwise it would just have three consecutive spaces which might be ignored. However, even though there is something in the field, I can't search for something like cs_username="-" and get any results. Is this something Splunk is doing, where it is treating the dash as a NULL?
I have a dashboard where I track HTTP errors by cs_username, but when the username is not present, I can't drill down on the dash, I can only drill down on actual username values. Is there a way to make the dash an active, drillable value? I tried this but it didn't work:
| fillnull value="-" cs_username
How can I search the cs_username field when the value is a dash?
As @PickleRick replied, you can avoid this just by using the EVAL or applying filters to look for everything different from null or blank.
You can also, create a field extraction using Regex to avoid situations like this, for example:
| rex field=_raw cs_username="(?<cs_username>.+?)\"\s
To be precise, I didn't suggest using evals. This eval is already defined within the TA and it's the reason why the field is empty.
I will try both approaches today and see what happens. Thanks for the suggestions!
It is deliberately set this way by the IIS TA.
EVAL-user = if(cs_username == "-", null(), cs_username)
So it's not that Splunk doesn't find it, it's just that the field is set to empty value when there is nothing there.
Looking for
cs_username!=*
or
NOT cs_username=*
(these are not equivalent in general but in this case both can be used)