Merge pull request #46 from arblade/main

Fixing field null expression
SigmaHQ · Dec 3, 2024 · 2685a3e · 2685a3e
2 parents 57bb93c + 5b47835
commit 2685a3e
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/sigma/backends/splunk/splunk.py b/sigma/backends/splunk/splunk.py
@@ -135,7 +135,7 @@ class SplunkBackend(TextQueryBackend):
         SigmaCompareExpression.CompareOperators.GTE: ">=",
     }
 
-    field_null_expression: ClassVar[str] = "{field}!=*"
+    field_null_expression: ClassVar[str] = "NOT {field}=*"
 
     convert_or_as_in: ClassVar[bool] = True
     convert_and_as_in: ClassVar[bool] = False