A.2 The notnull Query

You might need to find events where some field is present, or non-empty. For example, to find all events that have a value in the sun field, you can specify the query as sun:*

The query does not return the expected results because Lucene does not support wildcards to be the first character of a search value. However, Sentinel provides an alternate solution. For every event, Sentinel creates a special field called notnull. The notnull field is a list of all fields in the event that are not null (not empty). For example, if there is an event that has values in the evt, msg, sun, and xdasid fields, the notnull field contains the following value:

evt msg sun xdasid

The notnull field is a tokenized field, so the following kinds of queries are possible:

  • notnull:sun Finds all events whose sun field has a value.

  • notnull:xdas* Finds all events where any field beginning with the name "xdas" has a value.

When a notnull field is added in Lucene, creating, indexing, and storing this field adds a cost to processing each event as CPU needs to create and index the field and it also requires additional storage space. If you want to disable storing the list of non-empty fields in the notnull field, set the following property in the /etc/opt/novell/sentinel/config/configuration.properties file:

indexedlog.storenotnull=false

Save the file and restart the Sentinel server. All events received after this property was set do not have a notnullfield associated.

NOTE:If you disable the notnull field, do not use the notnull field in search filters, rule filters, or policy filters because the results might be incorrect and unpredictable.