The isempty function returns true if the argument is an empty string or null. Use this function to filter out records with missing or empty string values, validate data completeness, or identify fields that need default values.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you check for empty values using conditions like field="" or isnull(field). APL's isempty combines both checks.
['sample-http-logs']
| where isempty(field)In ANSI SQL, you check for empty or null values using separate conditions. APL's isempty provides a more concise approach.
['sample-http-logs']
| where isempty(field)Usage
Syntax
isempty(value)Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| value | scalar | Yes | The value to check for emptiness or null. |
Returns
Returns true if the value is an empty string or null, otherwise returns false.
Use case examples
Identify HTTP requests with missing or empty geographic information for data quality monitoring.
Query
['sample-http-logs']
| extend has_empty_city = isempty(['geo.city']),
has_empty_country = isempty(['geo.country'])
| where has_empty_city or has_empty_country
| summarize incomplete_records = count() by has_empty_city, has_empty_country, status
| sort by incomplete_records descOutput
| has_empty_city | has_empty_country | status | incomplete_records |
|---|---|---|---|
| true | false | 200 | 1234 |
| true | true | 404 | 567 |
| false | true | 500 | 234 |
This query identifies requests with incomplete geographic data, helping assess data quality and identify potential issues with geo-IP lookups.
Find traces with missing service information to identify instrumentation gaps.
Query
['otel-demo-traces']
| extend empty_service = isempty(['service.name']),
empty_kind = isempty(kind)
| where empty_service or empty_kind
| summarize problematic_spans = count() by empty_service, empty_kindOutput
| empty_service | empty_kind | problematic_spans |
|---|---|---|
| false | true | 234 |
| true | false | 89 |
This query identifies spans with missing required fields, helping improve observability instrumentation by highlighting gaps in trace data.
Detect authentication attempts with missing user identifiers that might indicate anonymized or suspicious activity.
Query
['sample-http-logs']
| where status == '401' or status == '403'
| extend empty_id = isempty(id)
| summarize failed_attempts = count(), empty_id_attempts = countif(empty_id) by status
| extend anonymous_percentage = round(100.0 * empty_id_attempts / failed_attempts, 2)
| sort by failed_attempts descOutput
| status | failed_attempts | empty_id_attempts | anonymous_percentage |
|---|---|---|---|
| 401 | 1234 | 345 | 27.96 |
| 403 | 987 | 123 | 12.46 |
This query analyzes the percentage of failed authentication attempts without user IDs, helping security teams identify potential anonymous attack patterns.
List of related functions
- isnotempty: Returns true if a value is not empty and not null. Use this for the inverse check of isempty.
- isnull: Checks only if a value is null. Use this when you specifically need to test for null without checking for empty strings.
- coalesce: Returns the first non-null or non-empty value. Use this to provide default values for empty fields.
- strlen: Returns the length of a string. Use this when you need to check if a string has content beyond just emptiness.