My splunk data looks like this
{
"name": "john",
"foo": []
}
sometimes foo is empty, and sometimes it has data in it. I want to query for all the EMPTY using SPL2.
I tried foo=[] and I tried foo="[]" but neither works.
You can try the following syntax :
<your_search>
| where isnull('foo{}')