topic Re: How to exclude null field values from search results? in Splunk Search

How to exclude null field values from search results?

ibob0304 — Tue, 11 Oct 2016 19:27:32 GMT

Below are the log events I have, where one event has two savedsearch_name fields with two values "Apache_Monitor" and other is "" empty.
And other event has only one savedsearch_name

Audit:[timestamp=xx-xx-xxxx xx:xx:xx.xxx, id=xxxxx, user=admin, action=search, info=granted , search_id='xxxxxxxx',  index=summary `savedsearch_name`="Apache_Monitor"', enable_lookups='1', extra_fields='*', `savedsearch_name`=""]

Audit:[timestamp=xx-xx-xxxx xx:xx:xx.xxx, id=xxxxx, user=admin, action=search, info=granted , search_id='xxxxxxxx',  index=summary `savedsearch_name`="Apache_Monitor"']

I want to look only for one field one value (2nd event). So I tried to use NOT condition to get rid of two same field events (1st event)

index=_audit action="search" (savedsearch_name="Apache_Monitor") NOT (savedsearch_name="")  search=* NOT "typeahead" NOT metadata NOT "|history" NOT "AUTOSUMMARY"

But It doesn't work, How to exclude the events which has no value ?

Re: How to exclude null field values from search results?

msivill_splunk — Tue, 11 Oct 2016 19:52:59 GMT

So a few further questions for clarification -

Can savedsearch_name appear more than twice?
Can both savedsearch_names be empty?
Are the only events you want exclude are match on first and nothing on second? ( So nothing on first and match on second is allowed )

Re: How to exclude null field values from search results?

ibob0304 — Tue, 11 Oct 2016 20:05:08 GMT

Re: How to exclude null field values from search results?

somesoni2 — Tue, 11 Oct 2016 20:07:37 GMT

Try this

index=_audit action="search" (savedsearch_name="Apache_Monitor") NOT ("savedsearch_name*savedsearch_name")  search=* NOT "typeahead" NOT metadata NOT "|history" NOT "AUTOSUMMARY"

Updated

index=_audit action="search" (savedsearch_name="Apache_Monitor")  search=* NOT "typeahead" NOT metadata NOT "|history" NOT "AUTOSUMMARY" | rex max_match=2 "(?<noOfSavedSearch>savedsearch_name)" | where mvcount(noOfSavedSearch)=1

Re: How to exclude null field values from search results?

msivill_splunk — Tue, 11 Oct 2016 20:09:18 GMT

So the following will work and/or provide pointers how to do this.

index="462049" 
| rex field=_raw ".*`savedsearch_name`.*`savedsearch_name`=\"(?<savedsearch_name_second>)\".*" 
| eval savedsearch_name_second_is_blank=if(savedsearch_name_second="",1,0) 
| where savedsearch_name_second_is_blank = 0

So the trick is to use regex to find a second savedsearch_name by looking directly against the _raw event field. Then apply additional logic against this field.

Re: How to exclude null field values from search results?

ibob0304 — Tue, 11 Oct 2016 20:34:30 GMT

Still I am seeing two same fields in one event. Is it not possible to eliminate the events which has two same field ?

Re: How to exclude null field values from search results?

somesoni2 — Tue, 11 Oct 2016 20:45:47 GMT

Give the updated answer a try.

Re: How to exclude null field values from search results?

ibob0304 — Tue, 11 Oct 2016 20:50:50 GMT

Updated one works perfectly, you successfully removed the two same field events. thanks