Query - Field Null Check Filter

Sections

sIsnull(field)
Example

sIsnull(field)

The sIsnull filter is used to match a ‘null’ field.

search sIsnull("@fields.nullfield")

In the above example, the search matches all records where the field ‘@fields.nullfield’ is ‘null’ valued. Note, the ‘null’ value must be a JSON valid ‘null’ value. Values such as the string “null”, or the values of non-existant keys do not match this selector.

Example

Consider the following data set:

{"id":1,"isprime":"no","nullfield":null,"numstr":"1","odd":true,"divisors":1}
{"id":2,"isprime":"yes","nullfield":"null","numstr":"2","even":true,"divisors":2}
{"id":3,"isprime":"yes","nullfield":null,"numstr":"3","odd":true,"divisors":2}
{"id":4,"isprime":"no","nullfield":"null","numstr":"4","even":true,"divisors":3}
{"id":5,"isprime":"yes","nullfield":null,"numstr":"5","odd":true,"divisors":2}

An example record, after JSON parsing:

{
  "@message": "",
  "@facility": "kern",
  "@level": "notice",
  "@tags": [
    "fpl-null-example"
  ],
  "@source": "log-generator",
  "@sender": "1.2.3.4",
  "@timestamp": 1662053991000,
  "@fields": {
    "numstr": "1",
    "divisors": 1,
    "id": 1,
    "isprime": "no",
    "odd": true,
    "nullfield": null
  },
  "@type": "event"
}

The following example matches the 3 (out of 5) events where ‘@fields.nullfield’ is ‘null’ valued. The events where the value is the string literal “null” are not matched.

search sIsnull("@fields.nullfield")
let {id, isprime, odd, even, nullfield} = f("@fields")

Note that the search filter does not return a presentable value. It is almost always following by the data extraction command ‘let’.

Note: The table in the Fluency interface will show ‘null’ fields as empty.

Page last updated: 2022 Oct 02