I believe the issue here is less about NULL and more about when Graylog/Elasticsearch encounters a message where OBJECT_SCHEMA does not have a value, the field is not stored in Elasticsearch for that message. So it doesn’t exist with a value of null…it simply doesn’t exist within that message and its fields.
If you need to count it’s “existential field crisis” (
) ~and~ you want to show it listed in a widget you will need to create a pipeline rule that will find all messages where OBJECT_SCHEMA ~should~ exist and insert it with some value like set_field("OBJECT_SCHEMA ", "!?!");
If you were so inclined the link that @gsmith provided earlier “Allow empty fields in Graylog” has some links in it for how to change Elasticsearch to allow a null_value field with a custom mapping