5.4 Searching for Events with Empty or Non-Empty Fields

Sentinel Log Manager allows you to search for events that have empty fields as well as fields with any value.

5.4.1 Searching for Events with a Non-Empty Field

In Sentinel Log Manager, you cannot use wildcards to search for all events with a particular field and any value. Wildcards do not work in Lucene because it does not allow the * or ? characters to be the first character of a search value.

For example, if you want to find all events whose sn field has a value and it is not empty, the search would fail if the query is sn:*

Instead, you must use the notnull field that has been added and associated with every event.The notnull field contains a list of fields in the event that have a non-empty value. You can use this field to find events with non-empty values.

For example, to query for events where the sn field is not empty, run the following query:

notnull:sn

5.4.2 Searching For Empty Fields

To find all events whose sn field is empty, run the following query:

sev:[0 TO 5] NOT notnull:sn

This query includes all events whose sev field contains a value between 0 and 5, but excludes events that have sn in the notnull field. This effectively leaves only events whose notnull field does not have sn in it, that is events whose sn field is empty.

In Lucene search syntax, NOT terms must be combined with one or more non-NOT terms. In the example discussed above, this is accomplished by combining the sev:[0 TO 5] term.The NOT terms are applied to all the events found by the non-NOT terms.