Version 2.1 - New modifier to check if field is empty or null

Question

Version 2.1 - New modifier to check if field is empty or null

Opened this issue 4 months ago · 1 comments

Add a new modifer to check if the field data is empty or null.
Some telemetry use - too

name: ?
type: boolean

    myfield|?: false

will cover

filter_null:
    myfield: null
filter_empty:
    myfield:  ''
    myfield: '-'
condition: not 1 of filter_*

Answer 1 · 2024-08-13T22:27:17.000Z

What use case does this solve that |exists doesn't? IIRC most SIEMs I used cannot discriminate between a field existing and a field existing and having the null value. What are some examples of SIEMs that have this feature, and why would one want to use that instead of |exists?