The isnotempty function returns true if the argument isn’t an empty string and isn’t null. Use this function to filter for records with valid, non-empty values, ensure data quality, or validate that required fields contain actual content.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you check for non-empty values using conditions like field!="" and isnotnull(field). APL's isnotempty combines both checks.
['sample-http-logs']
| where isnotempty(field)In ANSI SQL, you check for non-empty and non-null values using separate conditions. APL's isnotempty provides a more concise approach.
['sample-http-logs']
| where isnotempty(field)Usage
Syntax
isnotempty(value)Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| value | scalar | Yes | The value to check for non-emptiness and non-null. |
Returns
Returns true if the value is not an empty string and not null, otherwise returns false.
Use case examples
Filter HTTP logs to only include requests with valid geographic information for accurate location-based analytics.
Query
['sample-http-logs']
| where isnotempty(['geo.city']) and isnotempty(['geo.country'])
| summarize request_count = count() by ['geo.city'], ['geo.country']
| sort by request_count desc
| limit 10Output
| geo.city | geo.country | request_count |
|---|---|---|
| New York | United States | 2341 |
| London | United Kingdom | 1987 |
| Tokyo | Japan | 1654 |
| Paris | France | 1432 |
This query filters requests to only include those with complete geographic information, ensuring accurate location-based analysis without null or empty values.
Analyze only traces with complete service information to ensure accurate service performance metrics.
Query
['otel-demo-traces']
| where isnotempty(['service.name']) and isnotempty(kind)
| summarize avg_duration = avg(duration), span_count = count() by ['service.name'], kind
| sort by span_count desc
| limit 10Output
| service.name | kind | avg_duration | span_count |
|---|---|---|---|
| frontend | server | 125ms | 4532 |
| checkout | client | 89ms | 3421 |
| cart | internal | 56ms | 2987 |
This query filters traces to only include spans with complete service and kind information, ensuring reliable performance analysis without incomplete data.
Identify authenticated users by filtering out requests without valid user identifiers.
Query
['sample-http-logs']
| extend authenticated = isnotempty(id)
| summarize total_attempts = count(), authenticated_attempts = countif(authenticated) by status
| extend authenticated_percentage = round(100.0 * authenticated_attempts / total_attempts, 2)
| sort by total_attempts descOutput
| status | total_attempts | authenticated_attempts | authenticated_percentage |
|---|---|---|---|
| 401 | 1234 | 889 | 72.04 |
| 403 | 987 | 864 | 87.53 |
This query distinguishes between authenticated and anonymous failed access attempts by checking if user IDs are present, helping security teams understand attack patterns.
List of related functions
- isempty: Returns true if a value is empty or null. Use this for the inverse check of isnotempty.
- isnotnull: Checks only if a value is not null. Use this when you specifically need to test for null without checking for empty strings.
- strlen: Returns the length of a string. Use this when you need to ensure strings have minimum content length beyond just being non-empty.
- coalesce: Returns the first non-null or non-empty value. Use this to select from multiple fields or provide defaults.