Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Exclude Null in subsearch

rajkskumar
Explorer
‎09-30-2020 04:08 AM

I have the following query used to build a chart. Sometimes, the incoming events do not have the fields set. How could these events with null could be excluded in a Subsearch?

index=prod
| search processRelevantFields.processName="SessionExecution"|search prod.customerId=* prod.productId=*
| timechart dc(customer.ciamId) as "Active Users"

I have tried with "search <fieldName> =*" as given above. But this is not working. Please guide on how this could be implemented?

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-30-2020 04:33 AM

In what way is it not working?

Have you tried including the filters on the main search?

index=prod processRelevantFields.processName="SessionExecution" prod.customerId=* prod.productId=*
| timechart dc(customer.ciamId) as "Active Users"
0 Karma
Reply

rajkskumar
Explorer
‎09-30-2020 05:18 AM

The Main search is a complex base search query. The Subsearch is used to filter out the elements for this specific chart.

The result includes events which has null fields 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-30-2020 05:50 AM

OK try putting the field names containing dots in single quotes

index=prod
| search 'processRelevantFields.processName'="SessionExecution"|search 'prod.customerId'=* 'prod.productId'=*
| timechart dc(customer.ciamId) as "Active Users"
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-30-2020 09:12 AM
Hi
even this is old post it describes when to use search and when to use where and what are differences between those.
https://community.splunk.com/t5/Splunk-Search/Help-understanding-the-commands-Search-vs-Where-after-...
There are quite many other posts about the same thing. I propose that you will read those and look if those helps you.
r. Ismo
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...