Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Exclude Null in subsearch

rajkskumar
Explorer
‎09-30-2020 04:08 AM

I have the following query used to build a chart. Sometimes, the incoming events do not have the fields set. How could these events with null could be excluded in a Subsearch?

index=prod
| search processRelevantFields.processName="SessionExecution"|search prod.customerId=* prod.productId=*
| timechart dc(customer.ciamId) as "Active Users"

I have tried with "search <fieldName> =*" as given above. But this is not working. Please guide on how this could be implemented?

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-30-2020 04:33 AM

In what way is it not working?

Have you tried including the filters on the main search?

index=prod processRelevantFields.processName="SessionExecution" prod.customerId=* prod.productId=*
| timechart dc(customer.ciamId) as "Active Users"
0 Karma
Reply

rajkskumar
Explorer
‎09-30-2020 05:18 AM

The Main search is a complex base search query. The Subsearch is used to filter out the elements for this specific chart.

The result includes events which has null fields 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-30-2020 05:50 AM

OK try putting the field names containing dots in single quotes

index=prod
| search 'processRelevantFields.processName'="SessionExecution"|search 'prod.customerId'=* 'prod.productId'=*
| timechart dc(customer.ciamId) as "Active Users"
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-30-2020 09:12 AM
Hi
even this is old post it describes when to use search and when to use where and what are differences between those.
https://community.splunk.com/t5/Splunk-Search/Help-understanding-the-commands-Search-vs-Where-after-...
There are quite many other posts about the same thing. I propose that you will read those and look if those helps you.
r. Ismo
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...