The isnull function evaluates its argument and returns true if the argument is null. Use this function to identify missing data, filter out incomplete records, or validate that optional fields are absent.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you check for null values using isnull() function. APL's isnull works the same way.
['sample-http-logs']
| where isnull(field)In ANSI SQL, you check for null values using IS NULL. APL's isnull provides the same functionality with function syntax.
['sample-http-logs']
| where isnull(field)Usage
Syntax
isnull(value)Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| value | scalar | Yes | The value to check for null. |
Returns
Returns true if the value is null, otherwise returns false. Note that empty strings return false because they are not null.
Use case examples
Identify HTTP requests with missing duration information to assess data quality and completeness.
Query
['sample-http-logs']
| extend missing_duration = isnull(req_duration_ms)
| summarize total_requests = count(),
missing_duration_count = countif(missing_duration),
missing_percentage = round(100.0 * countif(missing_duration) / count(), 2) by status
| sort by missing_duration_count desc
| limit 10Output
| status | total_requests | missing_duration_count | missing_percentage |
|---|---|---|---|
| 500 | 1234 | 123 | 9.97 |
| 200 | 8765 | 87 | 0.99 |
| 404 | 2341 | 23 | 0.98 |
This query identifies the percentage of requests missing duration data by status code, helping assess logging infrastructure reliability and identify potential issues.
Find traces with missing duration information to identify instrumentation problems.
Query
['otel-demo-traces']
| extend null_duration = isnull(duration)
| where null_duration
| summarize incomplete_spans = count() by ['service.name'], kind
| sort by incomplete_spans desc
| limit 10Output
| service.name | kind | incomplete_spans |
|---|---|---|
| product-catalog | server | 234 |
| cart | internal | 123 |
| checkout | client | 89 |
This query identifies services with incomplete trace data, helping pinpoint instrumentation issues where duration information is not being captured properly.
Identify anonymous access attempts by finding requests without user identification.
Query
['sample-http-logs']
| extend anonymous = isnull(id)
| summarize total_failures = count(),
anonymous_failures = countif(anonymous) by status, ['geo.country']
| extend anonymous_rate = round(100.0 * anonymous_failures / total_failures, 2)
| where anonymous_failures > 10
| sort by anonymous_failures desc
| limit 10Output
| status | geo.country | total_failures | anonymous_failures | anonymous_rate |
|---|---|---|---|---|
| 401 | Unknown | 567 | 345 | 60.85 |
| 403 | Russia | 234 | 189 | 80.77 |
| 401 | China | 198 | 156 | 78.79 |
This query identifies patterns of anonymous failed access attempts by country, helping security teams detect automated attacks or scanning activity.
List of related functions
- isnotnull: Returns true if a value is not null. Use this for the inverse check of isnull.
- isempty: Checks if a value is empty or null. Use this when you need to check for both null and empty strings.
- coalesce: Returns the first non-null value from a list. Use this to provide default values for null fields.
- gettype: Returns the type of a value. Use this to distinguish between null and other types.