Re: To Exclude all the NULL values from the index

AL3Z · ‎09-29-2023

Hello,

I was trying to explore all the null values in my index but is it not working as expected do we need any changes in the search

index=vpn earliest=-7d
| fieldsummary
| where match(values, "^\[{\"value\":\"null\",\"count\":\d+\}\]$")

Thanks

gcusello · ‎09-29-2023

Hi @AL3Z,

could you better describe what you whould do?

if you already indexed a log, you canot remove an avent or a part of it.

If you want to exclude some null values from a search you can do iy in the search.

So what' your requirement?

Ciao.

Giuseppe

AL3Z · ‎09-29-2023

Hello,

I was trying to look for indexed null values and will decide to ingest after knowing them.

gcusello · ‎09-29-2023

Hi @AL3Z,

at first you have to analyze your data and see if you correctly parsed it, in other words, if you're using the correct Add-On.

At this point you should'n have NULL values in fields.

Ciao.

Giuseppe

AL3Z · ‎09-29-2023

Thanks ,
I can see the values of some fields in my index as null, what does it mean the data is ingesting or not ???

gcusello · ‎09-29-2023

Hi @AL3Z,

if you don't have any recognized field, this means that you have a parsing problem.

At first you have to check if you instaled the correct Add-On and if you associated the correct sourcetype with yur data flow.

Then you have to analyze your data, see the sourcetype associated with these events and see what's the issue,

Ciao.

Giuseppe

To Exclude all the NULL values from the index

blacklist

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...