Re: Writing a regular expression to capture null v...

mahbs · ‎01-03-2018

Hi,

I've got fields which contain null values. I'm writing a regular expression to capture instances where fields contain null values.

This is what I have, but it's not working.
^(^.){0}$
I'm trying to say in this expression, looking something that's empty. But as mentioned before, it's not working. I'm not too sure how null works in splunk.

Could someone please help me with this?

Thanks
Mahbs

micahkemp · ‎01-03-2018

Do you want to find events like:

fieldyoucareabout= otherfield1=value1 otherfield2=value2

Or instead:

otherfield1=value1 otherfield2=value2

elliotproebstel · ‎01-03-2018

Have you tried using your base search | where isnull(fieldname) syntax rather than regular expressions? You can use this to find events with null values for any number of fields by chaining them like this: your base search | where isnull(fieldname) OR isnull(field2name)...

niketn · ‎01-03-2018

@mahbs, can you add sample events and also your current code using the code button (101010) on Splunk Answers, so that special characters do not escape?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Writing a regular expression to capture null values

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...