https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-field-with-null-value/m-p/478117#M82065 <P>I have indexed a JSON file and want to remove field which has 'null' value(event 1) but if the same field have any correct value in the next event(2) it should consider that field and extract the result. Please advise.<BR />Logs as below:</P> <P><STRONG>Event1:</STRONG></P> <PRE><CODE>{ policy: null protocol: null reason: null severity: low sid: xxx source_port: null src: xx.xx.xx.xx success: null terminal_source: xx.xx.xx.xx } </CODE></PRE> <P><STRONG>Event2:</STRONG></P> <PRE><CODE>{ policy: Normal protocol: 4 reason: null severity: low sid: xxx source_port: 234 src: xx.xx.xx.xx success: null terminal_source: xx.xx.xx.xx } </CODE></PRE> Tue, 23 May 2023 12:26:30 GMT vin02ptl 2023-05-23T12:26:30Z https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-field-with-null-value/m-p/478117#M82065 <P>I have indexed a JSON file and want to remove field which has 'null' value(event 1) but if the same field have any correct value in the next event(2) it should consider that field and extract the result. Please advise.<BR />Logs as below:</P> <P><STRONG>Event1:</STRONG></P> <PRE><CODE>{ policy: null protocol: null reason: null severity: low sid: xxx source_port: null src: xx.xx.xx.xx success: null terminal_source: xx.xx.xx.xx } </CODE></PRE> <P><STRONG>Event2:</STRONG></P> <PRE><CODE>{ policy: Normal protocol: 4 reason: null severity: low sid: xxx source_port: 234 src: xx.xx.xx.xx success: null terminal_source: xx.xx.xx.xx } </CODE></PRE> Tue, 23 May 2023 12:26:30 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-field-with-null-value/m-p/478117#M82065 vin02ptl 2023-05-23T12:26:30Z https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-field-with-null-value/m-p/478118#M82066 <P>If you are using <CODE>INDEXED_EXTRACTIONS = json</CODE> then you can use <CODE>INGEST_EVAL</CODE> like this</P> <PRE><CODE>[YourSourcetypeHere] INGEST_EVAL-policy = nullif(policy, "null") INGEST_EVAL-protocol = nullif(protocol, "null") INGEST_EVAL-reason = nullif(reason, "null") </CODE></PRE> Mon, 04 Nov 2019 16:11:45 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-field-with-null-value/m-p/478118#M82066 woodcock 2019-11-04T16:11:45Z https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-field-with-null-value/m-p/478119#M82067 <P>I am looking for search time extraction for cim compliance and using kv_mode = json. In that case how to proceed?</P> Mon, 04 Nov 2019 18:22:01 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-field-with-null-value/m-p/478119#M82067 vin02ptl 2019-11-04T18:22:01Z https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-field-with-null-value/m-p/644207#M109691 <P>Were you able to fix this ?</P> Tue, 23 May 2023 05:40:15 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-exclude-field-with-null-value/m-p/644207#M109691 damode1 2023-05-23T05:40:15Z