We are seeing empty fields in our logs but it is showing that the logs do have a file size using "| _size as size".
The empty fields aren't actually blank but are NULL characters which are being written when the logs are produced.
Here is a query you can run to search and see the contents of the empty logs
| extract "^(?<blank>\u0000+)$" nodrop
| length(blank) = 0 as should_include
If you hover your mouse over the field name within the Field Browser you can see the null characters.
We recommend reviewing how you are writing your logs from your application. You can also view the null characters using a text editor https://www.sublimetext.com
Please sign in to leave a comment.