Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Exclude Null in subsearch

rajkskumar
Explorer
‎09-30-2020 04:08 AM

I have the following query used to build a chart. Sometimes, the incoming events do not have the fields set. How could these events with null could be excluded in a Subsearch?

index=prod
| search processRelevantFields.processName="SessionExecution"|search prod.customerId=* prod.productId=*
| timechart dc(customer.ciamId) as "Active Users"

I have tried with "search <fieldName> =*" as given above. But this is not working. Please guide on how this could be implemented?

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-30-2020 04:33 AM

In what way is it not working?

Have you tried including the filters on the main search?

index=prod processRelevantFields.processName="SessionExecution" prod.customerId=* prod.productId=*
| timechart dc(customer.ciamId) as "Active Users"
0 Karma
Reply

rajkskumar
Explorer
‎09-30-2020 05:18 AM

The Main search is a complex base search query. The Subsearch is used to filter out the elements for this specific chart.

The result includes events which has null fields 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-30-2020 05:50 AM

OK try putting the field names containing dots in single quotes

index=prod
| search 'processRelevantFields.processName'="SessionExecution"|search 'prod.customerId'=* 'prod.productId'=*
| timechart dc(customer.ciamId) as "Active Users"
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-30-2020 09:12 AM
Hi
even this is old post it describes when to use search and when to use where and what are differences between those.
https://community.splunk.com/t5/Splunk-Search/Help-understanding-the-commands-Search-vs-Where-after-...
There are quite many other posts about the same thing. I propose that you will read those and look if those helps you.
r. Ismo
0 Karma
Reply
Get Updates on the Splunk Community!

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...