Sentinel Log Manager allows you to search for events that have empty fields as well as fields with any value.
In Sentinel Log Manager, you cannot use wildcards to search for all events with a particular field and any value. Wildcards do not work in Lucene because it does not allow the * or ? characters to be the first character of a search value.
For example, if you want to find all events whose sn field has a value and it is not empty, the search would fail if the query is sn:*
Instead, you must use the notnull field that has been added and associated with every event.The notnull field contains a list of fields in the event that have a non-empty value. You can use this field to find events with non-empty values.
For example, to query for events where the sn field is not empty, run the following query:
To find all events whose sn field is empty, run the following query:
sev:[0 TO 5] NOT notnull:sn
This query includes all events whose sev field contains a value between 0 and 5, but excludes events that have sn in the notnull field. This effectively leaves only events whose notnull field does not have sn in it, that is events whose sn field is empty.
In Lucene search syntax, NOT terms must be combined with one or more non-NOT terms. In the example discussed above, this is accomplished by combining the sev:[0 TO 5] term.The NOT terms are applied to all the events found by the non-NOT terms.
When a notnull filed is added in Lucene, creating, indexing, and storing this field adds a cost to processing each event as CPU needs to create and index the field and it also requires additional storage space. If you want to disable storing the list of non-empty fields in the notnull field, set the following property in the /etc/opt/novell/sentinel_log_mgr/config/configuration.properties file:
Save the file and restart the Sentinel Log Manager server. All events received after this property was set will not have a notnullfield associated.
NOTE:If you disable the notnull field, do not use the notnull field in search filters, rule filters, or policy filters because the results might be incorrect and unpredictable.