Is empty (isempty)
You can apply this operation either as a Filter or Create column operation:
Checks if a given string is empty.
Creates a Boolean column that shows true when a given string is empty.
How does it work in the search window?
Select Filter / Create column in the search window toolbar, then select the Is empty operation. This operation requires only one argument:
|String to be checked (mandatory)||string|
If you use the Create column operation, the data type of the values in the new column is boolean (true or false).
siem.logtrust.web.activity table, we want to create a new column to check if there are any empty values in the domain column strings.
Choose the Is empty operation from the list and select the string to be checked, which in this case is domain. You cannot add more than one argument. Once ready, click Create column.
As shown below, there are no empty values so the newly created column only shows false.
Using another table, we perform the same steps as above except this time we want to run the Is empty operation on the column named message.
Here we see that an empty value is shown as true.
How does it work in LINQ?
Use the operator
where... to apply the Filter operation and
as... to apply the Create column operation. These are the valid formats of the Is empty operation:
You can copy the following LINQ script and try the above example on the
from siem.logtrust.web.activity where isempty(domain)
And this is the same example using the Create column operation:
from siem.logtrust.web.activity select isempty(domain) as column1