Null is not a reserved word in Splunk. So your solution may appear to work, but it is actually testing In the search command, the text following an equal sign is considered a string. But it probably works in your application. Jump to solution 05-05-2015 12:26 AM.
One more question we ran across in our research was “Why can’t I find null values in Splunk?”.
The problem is that there are 2 different nullish things in Splunk. One is where the field has no value and is truly null. The other is when it has a value, but the value is “” or empty and is unprintable and zero-length, but not null. What you need to use to cover all of your bases is this instead: You can test this like this:.
Blank space is actually a valid value, hex 20 = ASCII space – but blank fields rarely occur in Splunk. Yes, you can use isnotnull with the where command. But it is most efficient to filter in the very first search command if possible.
While writing we ran into the question “How to handle complex fields in where/eval statements in Splunk?”.
NOTE THE SINGLE QUOTES in the isnull call. Inside where/eval statements, splunk does not handle complex field names, well, and requires you wrap them in SINGLE quotes. Hopefully this answer makes sense and is helpful.
When does a field have a value but is not null?
One is where the field has no value and is truly null. The other is when it has a value, but the value is “” or empty and is unprintable and zero-length, but not null. What you need to use to cover all of your bases is this instead: Of course, this only works if it is empty; very occasionally you may find a field with only whitespace in it.