https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-Null-Values-from-field-extractions/m-p/306701#M57831 <P>Oh, maybe @somesoni2 solution can be useful - <A href="https://answers.splunk.com/answers/434015/is-it-possible-to-replace-null-fields-at-index-tim.html">Is it possible to replace null fields at index-time?</A></P> Sun, 27 Aug 2017 01:38:19 GMT ddrillic 2017-08-27T01:38:19Z https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-Null-Values-from-field-extractions/m-p/306698#M57828 <P>I am building a TA. </P> <P>The issue I am having is the log file has a field error="". Even though it is null the error field is still there and causing CIM to tag the logs as error. I am hoping you can help me to only return the error field if there is a value other than null. Also note, I am looking for a way to do this without having to write a regex string as I have the same issue across a bunch of other sourcetypes.</P> <PRE><CODE>&lt;30&gt;2017:08:27-10:30:12 sophos httpproxy[19742]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="1.1.1.1" dstip="1.1.1.1" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="855" request="0xdffdb" url="https://www.google.com.au/" referer="" error="" authtime="0" dnstime="579003" cattime="288" avscantime="0" fullreqtime="109809548" device="0" auth="0" ua="" exceptions="" category="145" reputation="trusted" categoryname="Search Engines" application="google" app-id="182" </CODE></PRE> Sun, 27 Aug 2017 01:10:26 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-Null-Values-from-field-extractions/m-p/306698#M57828 dsofoulis 2017-08-27T01:10:26Z https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-Null-Values-from-field-extractions/m-p/306699#M57829 <P>Similar question at <A href="https://answers.splunk.com/answers/216026/how-do-i-remove-a-null-field.html">How do I remove a null field?</A></P> Sun, 27 Aug 2017 01:24:13 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-Null-Values-from-field-extractions/m-p/306699#M57829 ddrillic 2017-08-27T01:24:13Z https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-Null-Values-from-field-extractions/m-p/306700#M57830 <P>thanks for sharing, but will only remove the null value when performing a search. I need to this to happen at index time.</P> Sun, 27 Aug 2017 01:27:52 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-Null-Values-from-field-extractions/m-p/306700#M57830 dsofoulis 2017-08-27T01:27:52Z https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-Null-Values-from-field-extractions/m-p/306701#M57831 <P>Oh, maybe @somesoni2 solution can be useful - <A href="https://answers.splunk.com/answers/434015/is-it-possible-to-replace-null-fields-at-index-tim.html">Is it possible to replace null fields at index-time?</A></P> Sun, 27 Aug 2017 01:38:19 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-Null-Values-from-field-extractions/m-p/306701#M57831 ddrillic 2017-08-27T01:38:19Z https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-Null-Values-from-field-extractions/m-p/306702#M57832 <P>Did that solution work @dsofoulis? If so we can close the question.</P> Tue, 29 Aug 2017 16:44:26 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-Null-Values-from-field-extractions/m-p/306702#M57832 lfedak_splunk 2017-08-29T16:44:26Z https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-Null-Values-from-field-extractions/m-p/306703#M57833 <P>You would probably be best to strip the null error completely out of the raw event with this on your Indexers:</P> <PRE><CODE>SEDCMD_remove_empty_error_KVP = "s/\s+error=\"\"//" </CODE></PRE> Tue, 29 Aug 2017 19:18:27 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-Null-Values-from-field-extractions/m-p/306703#M57833 woodcock 2017-08-29T19:18:27Z