Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Exclude Null in subsearch

rajkskumar
Explorer
‎09-30-2020 04:08 AM

I have the following query used to build a chart. Sometimes, the incoming events do not have the fields set. How could these events with null could be excluded in a Subsearch?

index=prod
| search processRelevantFields.processName="SessionExecution"|search prod.customerId=* prod.productId=*
| timechart dc(customer.ciamId) as "Active Users"

I have tried with "search <fieldName> =*" as given above. But this is not working. Please guide on how this could be implemented?

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-30-2020 04:33 AM

In what way is it not working?

Have you tried including the filters on the main search?

index=prod processRelevantFields.processName="SessionExecution" prod.customerId=* prod.productId=*
| timechart dc(customer.ciamId) as "Active Users"
0 Karma
Reply

rajkskumar
Explorer
‎09-30-2020 05:18 AM

The Main search is a complex base search query. The Subsearch is used to filter out the elements for this specific chart.

The result includes events which has null fields 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-30-2020 05:50 AM

OK try putting the field names containing dots in single quotes

index=prod
| search 'processRelevantFields.processName'="SessionExecution"|search 'prod.customerId'=* 'prod.productId'=*
| timechart dc(customer.ciamId) as "Active Users"
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-30-2020 09:12 AM
Hi
even this is old post it describes when to use search and when to use where and what are differences between those.
https://community.splunk.com/t5/Splunk-Search/Help-understanding-the-commands-Search-vs-Where-after-...
There are quite many other posts about the same thing. I propose that you will read those and look if those helps you.
r. Ismo
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...