Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to exclude field with null value?

vin02ptl
Explorer
‎11-04-2019 04:07 AM

I have indexed a JSON file and want to remove field which has 'null' value(event 1) but if the same field have any correct value in the next event(2) it should consider that field and extract the result. Please advise.
Logs as below:

Event1:

{
   policy: null
   protocol: null
   reason: null
   severity: low
   sid: xxx
   source_port: null
   src: xx.xx.xx.xx
   success: null
   terminal_source: xx.xx.xx.xx

 }

Event2:

{
   policy: Normal
   protocol: 4
   reason: null
   severity: low
   sid: xxx
   source_port: 234
   src: xx.xx.xx.xx
   success: null
   terminal_source: xx.xx.xx.xx

 }
Labels (1)
Labels
Reply

damode1
Path Finder
‎05-22-2023 10:40 PM

Were you able to fix this ?

0 Karma
Reply

vin02ptl
Explorer
‎11-04-2019 10:22 AM

I am looking for search time extraction for cim compliance and using kv_mode = json. In that case how to proceed?

0 Karma
Reply

woodcock
Esteemed Legend
‎11-04-2019 08:11 AM

If you are using INDEXED_EXTRACTIONS = json then you can use INGEST_EVAL like this

[YourSourcetypeHere]
INGEST_EVAL-policy   = nullif(policy,   "null")
INGEST_EVAL-protocol = nullif(protocol, "null")
INGEST_EVAL-reason   = nullif(reason,   "null")
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...