How to exclude field with null value?

vin02ptl · ‎11-04-2019

I have indexed a JSON file and want to remove field which has 'null' value(event 1) but if the same field have any correct value in the next event(2) it should consider that field and extract the result. Please advise.
Logs as below:

Event1:

{
   policy: null
   protocol: null
   reason: null
   severity: low
   sid: xxx
   source_port: null
   src: xx.xx.xx.xx
   success: null
   terminal_source: xx.xx.xx.xx

 }

Event2:

{
   policy: Normal
   protocol: 4
   reason: null
   severity: low
   sid: xxx
   source_port: 234
   src: xx.xx.xx.xx
   success: null
   terminal_source: xx.xx.xx.xx

 }

damode1 · ‎05-22-2023

Were you able to fix this ?

vin02ptl · ‎11-04-2019

I am looking for search time extraction for cim compliance and using kv_mode = json. In that case how to proceed?

woodcock · ‎11-04-2019

If you are using INDEXED_EXTRACTIONS = json then you can use INGEST_EVAL like this

[YourSourcetypeHere]
INGEST_EVAL-policy   = nullif(policy,   "null")
INGEST_EVAL-protocol = nullif(protocol, "null")
INGEST_EVAL-reason   = nullif(reason,   "null")

How to exclude field with null value?

field extraction

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!