https://community.splunk.com/t5/Splunk-Search/How-can-I-delete-the-event-data-when-some-event-fields-value-is/m-p/465985#M140218 <P>If you want to remove those field values at search time you can remove using following query-</P> <PRE><CODE>...|eval field=if(field="None" OR field="Nan" OR field="",NULL,field )|where isnotnull(field) </CODE></PRE> <P>here replace field with actual field name</P> Thu, 28 May 2020 05:20:03 GMT 493669 2020-05-28T05:20:03Z https://community.splunk.com/t5/Splunk-Search/How-can-I-delete-the-event-data-when-some-event-fields-value-is/m-p/465984#M140217 <P>Hello Guys,<BR />Sorry for blasting...<BR />When I input data into Splunk, I find some field values in the events are "None" or "Nan" or "". How can I delete these events which contain the blank values in Splunk? Or is there any way to drop these events when inputting these data?</P> Sat, 06 Jun 2020 18:48:18 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-delete-the-event-data-when-some-event-fields-value-is/m-p/465984#M140217 samfisher1 2020-06-06T18:48:18Z https://community.splunk.com/t5/Splunk-Search/How-can-I-delete-the-event-data-when-some-event-fields-value-is/m-p/465985#M140218 <P>If you want to remove those field values at search time you can remove using following query-</P> <PRE><CODE>...|eval field=if(field="None" OR field="Nan" OR field="",NULL,field )|where isnotnull(field) </CODE></PRE> <P>here replace field with actual field name</P> Thu, 28 May 2020 05:20:03 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-delete-the-event-data-when-some-event-fields-value-is/m-p/465985#M140218 493669 2020-05-28T05:20:03Z https://community.splunk.com/t5/Splunk-Search/How-can-I-delete-the-event-data-when-some-event-fields-value-is/m-p/465986#M140219 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/46086">@samfisher1</a>,<BR /> You have three ways to delete events in Splunk:</P> <OL> <LI>before indexing;</LI> <LI>from Splunk interface using the delete command;</LI> <LI>in CLi using the clean command.</LI> </OL> <P>In detail:</P> <P>1)<BR /> you can filter events before indexing using the steps described at <A href="https://docs.splunk.com/Documentation/Splunk/8.0.4/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.0.4/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues</A> , in few words you have to find a regex to take all the events (if you share a sample of the logs to filter I can help you) and put in <STRONG>props.conf</STRONG>:</P> <PRE><CODE>[your_sourcetype] TRANSFORMS-null= setnull </CODE></PRE> <P>In <STRONG>transforms.conf</STRONG>:</P> <PRE><CODE>[setnull] REGEX = your_regex DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>As regex you could use </P> <PRE><CODE>REGEX = None|Nan </CODE></PRE> <P>for the first two values, but per the value="" I cannot help you without a sample of these logs.</P> <P>This is the best way to filter events because you do this before indexing so you don't consume license.</P> <P>2)<BR /> you can use the delete command at the end of a search but it isn't an efficient method because it's a logic deletion, so the events remain in the buckets and you already consumed license for indexing.<BR /> In addition, it isn't a best practice to give the role "can_delete" to many users, so i cannot hint this method: I use it only in development on test archives and with much, much attention, changing my role to can_delete only for a short time!</P> <P>3)<BR /> the third method, I think, isn't useful for you because permits to delete an entire index, it isn't selective, and anyway you already indexed logs, so you consumed license.</P> <P>At the end the best approach is the first one.</P> <P>Ciao.<BR /> Giuseppe</P> Wed, 30 Sep 2020 05:32:44 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-delete-the-event-data-when-some-event-fields-value-is/m-p/465986#M140219 gcusello 2020-09-30T05:32:44Z