Refine your search:

How can I search for a missing field?

2
1

Let's say I have events A and B:

A -- Feb 1 2010 10:10:00 field1=foo field2=bar
B -- Feb 1 2010 10:10:01 field1=foo

How can I find all events where field2 is missing (essentially event B in this tiny example)?

asked 03 Feb '10, 02:22

hulahoop's gravatar image

hulahoop ♦
2.5k3240
accept rate: 40%

edited 03 Feb '10, 03:25

V_at_Splunk's gravatar image

V_at_Splunk
8121414
3 Answers:
oldestnewestmost voted
4

Ok, so I tried a few things, and this is what ended up working:

NOT field2=*

It would be more intuitive if this worked also:

field2=""
link

answered 03 Feb '10, 02:23

hulahoop's gravatar image

hulahoop ♦
2.5k3240
accept rate: 40%

field2="" means something very different. It means that field2 exists, but has an empty string value.

(03 Feb '10, 04:49) gkanapathy ♦

yes, but in splunk land, would a field ever exist and be empty?

(03 Feb '10, 18:02) hulahoop ♦
1

It's a valid state of a field. You can get there with regex extractions.

Do you mean that this is an undesirable thing?

(03 Feb '10, 18:29) jrodman ♦

hey k8to, i'm just wondering if it can actually happen, and if splunk would behave consistently.

(04 Feb '10, 05:12) hulahoop ♦

Yes, it can happen.

(31 Aug '10, 05:59) gkanapathy ♦
2

You can do this on your search:

| where isnull(field2)
link

answered 03 Feb '10, 18:01

dinh's gravatar image

dinh
190111
accept rate: 33%

1

Note that using

field2!=*

will not work either. This will never return any events, as it will always be false. This means that field2!=* and NOT field2=* are not entirely equivalent. In particular, in the case where field2 doesn't exist, the former is false, while the latter is true.

link

answered 03 Feb '10, 04:58

gkanapathy's gravatar image

gkanapathy ♦
26.3k1622
accept rate: 42%

It seems like they are logically equivalent, but Splunk does not treat them so. Is that a fair statement?

(03 Feb '10, 06:00) hulahoop ♦
1

No they are not logically equivalent. There is a difference between being empty, and not existing.

(03 Feb '10, 06:43) gkanapathy ♦

Well, I guess it depends what you mean by "logically equivalent", but there is a difference in meaning regardless of how Splunk treats them.

(03 Feb '10, 06:45) gkanapathy ♦
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×1,088
×334

Asked: 03 Feb '10, 02:22

Seen: 1,496 times

Last updated: 03 Mar '10, 18:27

Related questions

Search Language variable for search duration

search-time extracted field showing no results when used in search

how do I pull just the host field out of a search to use as input for a custom search module

troubleshoot search time field extraction with search pools and mounted knowledge bundles

splunk search language

On the Fly KV Generation for Search Language Testing

Search query with the field of a search like the one on another search

are search language *keywords* case-sensitive?

How do you use a field defined in the search as a search parameter?

Copyright © 2005-2012 Splunk, Inc. All rights reserved.