in splunk search How to get all instances that has a field without any value

Question

This is the line in my log file.I want to get all searchTerms that do not have a value for PAMapped

2012-10-29 11:20:21,711 - searchTerm=speeding&location=Soperton%2C+GA&PAMapped=

This is the search I gave.

index=savvis-varnish host="dell1000a-12" source="/flocal/logs/lawyers.findlaw.com/search-mapping.log" NOT PAMapped=* earliest=-1mon@mon

But it does not return all instances. It returns only one.

Answer 1

Try this query:

index=savvis-varnish host="dell1000a-12" source="/flocal/logs/lawyers.findlaw.com/search-mapping.log" earliest=-1mon@mon | where isnull(PAMapped)

Answer 2

I assume the PAMapped field has already been extracted...

I would use the fillnull command (docs) to add a generic value to all empty values in this field. This would then allow for much simpler filtering on the fields which have a NULL value, like in your use-case.

For example you could probably do something like:

index=savvis-varnish host="dell1000a-12" source="/flocal/logs/lawyers.findlaw.com/search-mapping.log" earliest=-1mon@mon | fillnull value=NULL PAMapped | search PAMapped=NULL

This may not be the most effecient search, but it may give better potential for expansion.

You could also try using where command to filter results (docs1 & docs2), something like the following may work:

index=savvis-varnish host="dell1000a-12" source="/flocal/logs/lawyers.findlaw.com/search-mapping.log" earliest=-1mon@mon | where isnull(PAMapped)

Hope this helps.

P.S. You can find more helpful and prompt responses over at SplunkBase the official Splunk forum.