Hi,
I am trying to find all the events related to a field where value is NULL .
For eg. say Field has multiple values like
abc
def
mno
-- This is NULL value
xyz
-- This is NULL value
pqr.
I am trying to search via below query but that's not working.
Here parent_incident is field name which contains multiple values including NULL and I need data related to NULL values only.
index=main sourcetype=snow:incident endpoint="https://server.service-now.com/" NOT parent_incident=*
Any help would be appreciable.
Thanks
↧