Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Version 2.1 - New modifier to check if field is empty or null #142

Open
frack113 opened this issue Aug 6, 2024 · 1 comment
Open

Version 2.1 - New modifier to check if field is empty or null #142

frack113 opened this issue Aug 6, 2024 · 1 comment
Labels
enhancement New feature or request v2.1.0
Milestone
Version 2.1.0

Comments

@frack113
Copy link
Member

frack113 commented Aug 6, 2024

Add a new modifer to check if the field data is empty or null.
Some telemetry use - too

  • name: ?
  • type: boolean
    myfield|?: false

will cover

filter_null:
    myfield: null
filter_empty:
    myfield:  ''
    myfield: '-'
condition: not 1 of filter_*
@frack113 frack113 added enhancement New feature or request v2.1.0 labels Aug 6, 2024
@nasbench nasbench added this to the Version 2.1.0 milestone Aug 10, 2024
@Res260
Copy link
Contributor

Res260 commented Aug 13, 2024

What use case does this solve that |exists doesn't? IIRC most SIEMs I used cannot discriminate between a field existing and a field existing and having the null value. What are some examples of SIEMs that have this feature, and why would one want to use that instead of |exists?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request v2.1.0
Projects
None yet
Milestone
Version 2.1.0
Development

No branches or pull requests
3 participants
@nasbench @Res260 @frack113