I am using the **iplocation** command on an IP based field to add new fields to each event, most importantly the **Country** field. I want to then filter the output to only entries where the **Country** field is not blank. I tried using:
Country=*
but entries with blank values still are returned.
I also tried using:
isnotnull(Country)
but it returns true where the field is clearly blank. Can anyone explain this behavior?
My query:
index::proxy host::proxyhost sourcetype::bcoat_log
| regex cs_host="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
| top cs_host limit=0
| iplocation cs_host
| search Country=*
| eval null=if(isnotnull(Country),"true","false")
↧