What is the correct query for the below findings?


1 comment

  • Avatar
    Rick Jury

    Hi Omer if this is JSON formatted logs you could right click on the 'get if not empty' field in the search UI and select 'Parse the selected key' 

    then use something like the isempty function for example:
    | where !(isempty(your_parsed_field_name))

    the json format looks a bit tricky in your example because it's a nested array so you could also switch to the 'raw' view and use parse regex to parse out the field value instead, then once again use isempty. Parse regex is a good choice here as you could match \n for newlines for example.

    Comment actions Permalink

Please sign in to leave a comment.