How to exclude field with null value?

vin02ptl · ‎11-04-2019

I have indexed a JSON file and want to remove field which has 'null' value(event 1) but if the same field have any correct value in the next event(2) it should consider that field and extract the result. Please advise.
Logs as below:

Event1:

{
   policy: null
   protocol: null
   reason: null
   severity: low
   sid: xxx
   source_port: null
   src: xx.xx.xx.xx
   success: null
   terminal_source: xx.xx.xx.xx

 }

Event2:

{
   policy: Normal
   protocol: 4
   reason: null
   severity: low
   sid: xxx
   source_port: 234
   src: xx.xx.xx.xx
   success: null
   terminal_source: xx.xx.xx.xx

 }

damode1 · ‎05-22-2023

Were you able to fix this ?

vin02ptl · ‎11-04-2019

I am looking for search time extraction for cim compliance and using kv_mode = json. In that case how to proceed?

woodcock · ‎11-04-2019

If you are using INDEXED_EXTRACTIONS = json then you can use INGEST_EVAL like this

[YourSourcetypeHere]
INGEST_EVAL-policy   = nullif(policy,   "null")
INGEST_EVAL-protocol = nullif(protocol, "null")
INGEST_EVAL-reason   = nullif(reason,   "null")

How to exclude field with null value?

field extraction

Good Sourcetype Naming

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Splunk App for Anomaly Detection End of Life Announcement

Are you a member of the Splunk Community?

How to exclude field with null value?

field extraction

Good Sourcetype Naming

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Splunk App for Anomaly Detection End of Life Announcement