Re: Filtering out header-only "events" after using...

FunPolice · ‎11-26-2010

I've been tweaking the *NIX app by adding some charts with queries such as:

index="os" sourcetype="who" host=$host$ | multikv | timechart count by USERNAME

The resulting chart has a large number of events where the USERNAME is NULL. This appears to be because the MultiKV command only filters out the header when there is a body in the event. If the "who" event only contains a header the MultiKV leaves it in the result set as an event.

What is the best way to get rid of these unwanted header "events"? I would prefer to index them, as then there is a contiguous record from the who script. I could use

index="os" sourcetype="who" | multikv | search _raw!="*USERNAME        LINE        HOSTNAME                                  TIME*"

however there are likely many other similar situations so a more generic solution would be helpful.

Is there a better way?

Thanks.

FunPolice · ‎05-23-2011

I've upgraded to 4.2 and will try again with the universal forwarder as soon as I get a chance. Stay tuned!

gkanapathy · ‎11-29-2010

I just don't get this behavior. multikv for me simply doesn't return the header rows, so I don't get this problem.

Ledion_Bitincka · ‎11-27-2010

a slightly better approach would be:

index="os" sourcetype="who" host=$host$ | multikv | search USERNAME=* | timechart count by USERNAME

basically filter out all results that are missing the USERNAME field

Filtering out header-only "events" after using MultiKV

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...