The isnotnull function returns true if the argument isn’t null. Use this function to filter for records with defined values, validate data presence, or distinguish between null and other values including empty strings.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you check for non-null values using isnotnull() function. APL's isnotnull works the same way.
['sample-http-logs']
| where isnotnull(field)In ANSI SQL, you check for non-null values using IS NOT NULL. APL's isnotnull provides the same functionality with function syntax.
['sample-http-logs']
| where isnotnull(field)Usage
Syntax
isnotnull(value)Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| value | scalar | Yes | The value to check for non-null. |
Returns
Returns true if the value is not null, otherwise returns false. Note that empty strings return true because they are not null.
Use case examples
Filter HTTP logs to only include requests where duration information is available for performance analysis.
Query
['sample-http-logs']
| where isnotnull(req_duration_ms)
| summarize avg_duration = avg(req_duration_ms),
max_duration = max(req_duration_ms),
request_count = count() by status
| sort by avg_duration desc
| limit 10Output
| status | avg_duration | max_duration | request_count |
|---|---|---|---|
| 500 | 987.5 | 5432 | 234 |
| 200 | 145.3 | 3421 | 8765 |
| 404 | 89.7 | 987 | 1234 |
This query filters to only include requests with duration data, ensuring accurate performance metrics without skewing calculations with null values.
Analyze traces with recorded durations to calculate accurate service performance metrics.
Query
['otel-demo-traces']
| where isnotnull(duration)
| summarize p50_duration = percentile(duration, 50),
p95_duration = percentile(duration, 95),
trace_count = count() by ['service.name']
| sort by p95_duration desc
| limit 10Output
| service.name | p50_duration | p95_duration | trace_count |
|---|---|---|---|
| checkout | 234ms | 987ms | 3421 |
| frontend | 145ms | 654ms | 4532 |
| cart | 89ms | 456ms | 2987 |
This query ensures duration calculations are based only on spans with recorded timing data, preventing null values from affecting percentile calculations.
Track requests with identified users to analyze authenticated access patterns versus anonymous attempts.
Query
['sample-http-logs']
| extend has_user_id = isnotnull(id)
| summarize requests_by_type = count() by has_user_id, status, ['geo.country']
| sort by requests_by_type desc
| limit 10Output
| has_user_id | status | geo.country | requests_by_type |
|---|---|---|---|
| true | 401 | United States | 456 |
| true | 403 | Unknown | 345 |
| false | 401 | Russia | 234 |
| false | 403 | China | 123 |
This query distinguishes between authenticated and truly anonymous access attempts by checking for user ID presence, helping identify different attack patterns.
List of related functions
- isnull: Returns true if a value is null. Use this for the inverse check of isnotnull.
- isnotempty: Checks if a value is not empty and not null. Use this when you need to ensure both conditions.
- coalesce: Returns the first non-null value from a list. Use this to provide default values for null fields.
- gettype: Returns the type of a value. Use this to distinguish between null and other types.