What is the correct query for the below findings?

Follow
Avatar
Omer Shliva
I would like to get all the results that have a non-empty field in the "Get if not empty" field.
 
Which query should I use?
 
10/10/2021
9:14:59.885 AM +0300
{
  • msg:
    {
    • ReportTime:"2021-10-10T06:14:59.885Z",
    • Account id:"111223344",
    • Get if not empty:
      [
      • {
        • "Hi, I have content here"
0

Comments

1 comment

Sort by Date Votes
  • Avatar
    Rick Jury

    Hi Omer if this is JSON formatted logs you could right click on the 'get if not empty' field in the search UI and select 'Parse the selected key' 

    then use something like the isempty function for example:
    | where !(isempty(your_parsed_field_name))

    the json format looks a bit tricky in your example because it's a nested array so you could also switch to the 'raw' view and use parse regex to parse out the field value instead, then once again use isempty. Parse regex is a good choice here as you could match \n for newlines for example.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post