Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search for null fields following rex field extraction

DanSec
Engager
‎10-31-2023 04:36 AM

I have a current search used in dashboards and alerts. It extracts fields from an existing field. I'm trying to edit this to only return results if the extracted fields are null/empty but I get no results. Essentially this is used to extract ticket numbers and descriptions entered into a freeform text box and I'm trying to pick up when this isn't entered or entered incorrectly.

My search:

 

index=<MyIndex> sourcetype=<MySourceType> log_subtype=general description=CommitAll*
| rex field=description "JobId=(?<JobId>.*?)\." | rename JobId as "Job ID"
| rex field=description "User:\s(?<user>.*?)\." | rename user as User
| rex field=description "Commit Description:\s(?<CommitDescription>.*)" | rename CommitDescription as "Commit Description"
| rex field=description "(?<JobDescription>.*).*JobId" | rename JobDescription as "Job Description"
| rex field=description "device-group\s(?<DeviceGroup>.*?)\s" | rename DeviceGroup as "Device Group"
| rex field=description "template\s(?<Template>.*?)\s" | rename template as Template
| rex field="Commit Description" "\b(?<TicketNumber>\d{5})\b" | rename TicketNumber as "Ticket Number"
| transaction "Job ID" | table _time,host,"Job ID",User,"Ticket Number","Commit Description","Template","Device Group","Job Description"

 

I have tried adding:

 

| where isnull("Ticket Number") OR "Ticket Number"=""

 

I'm assuming that if the search is unable to extract the fields because a ticket number or description has not been entered then the field won't exists to search?

I'm going round in circle here as I don't really understand what happens if the field extraction REX doesn't find a match.

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-31-2023 04:47 AM

Try putting the field names in single quotes in the where command

| where isnull('Ticket Number') OR 'Ticket Number'=""

View solution in original post

0 Karma
Reply
Solved! Jump to solution

DanSec
Engager
‎10-31-2023 05:07 AM

Looking for the facepalm emoji!

Thanks @ITWhisperer 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-31-2023 04:47 AM

Try putting the field names in single quotes in the where command

| where isnull('Ticket Number') OR 'Ticket Number'=""
0 Karma
Reply
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...