Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to exclude Null Values from field extractions

dsofoulis
Path Finder
‎08-26-2017 06:10 PM

I am building a TA.

The issue I am having is the log file has a field error="". Even though it is null the error field is still there and causing CIM to tag the logs as error. I am hoping you can help me to only return the error field if there is a value other than null. Also note, I am looking for a way to do this without having to write a regex string as I have the same issue across a bunch of other sourcetypes.

<30>2017:08:27-10:30:12 sophos httpproxy[19742]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="1.1.1.1" dstip="1.1.1.1" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="855" request="0xdffdb" url="https://www.google.com.au/" referer="" error="" authtime="0" dnstime="579003" cattime="288" avscantime="0" fullreqtime="109809548" device="0" auth="0" ua="" exceptions="" category="145" reputation="trusted" categoryname="Search Engines" application="google" app-id="182"
0 Karma
Reply

woodcock
Esteemed Legend
‎08-29-2017 12:18 PM

You would probably be best to strip the null error completely out of the raw event with this on your Indexers:

SEDCMD_remove_empty_error_KVP = "s/\s+error=\"\"//"
0 Karma
Reply

ddrillic
Ultra Champion
‎08-26-2017 06:24 PM

Similar question at How do I remove a null field?

0 Karma
Reply

dsofoulis
Path Finder
‎08-26-2017 06:27 PM

thanks for sharing, but will only remove the null value when performing a search. I need to this to happen at index time.

0 Karma
Reply

ddrillic
Ultra Champion
‎08-26-2017 06:38 PM

Oh, maybe @somesoni2 solution can be useful - Is it possible to replace null fields at index-time?

0 Karma
Reply

lfedak_splunk
Splunk Employee
Splunk Employee
‎08-29-2017 09:44 AM

Did that solution work @dsofoulis? If so we can close the question.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...