Splunk Search

How can I remove a events from a search table

vino06
New Member

Hi Guys,

Good Day!

Just want to ask on how can I remove YYYYMMDD HH24:MI:SS") event on my search table. Here is my search and the result.

index=nf_index source=/appl/in_house/batch/AS*
| multikv
| stats count by "ACCESS CODE"

alt text

Tags (1)
0 Karma
1 Solution

s2_splunk
Splunk Employee
Splunk Employee
index=nf_index source=/appl/in_house/batch/AS* 
 NOT "ACCESS CODE"="YYYYMMDD*"
| multikv 
| stats count by "ACCESS CODE"

Or you could fix your data onboarding and don't index those events, because it seems these values are the result of something that is parsed incorrectly.

View solution in original post

s2_splunk
Splunk Employee
Splunk Employee
index=nf_index source=/appl/in_house/batch/AS* 
 NOT "ACCESS CODE"="YYYYMMDD*"
| multikv 
| stats count by "ACCESS CODE"

Or you could fix your data onboarding and don't index those events, because it seems these values are the result of something that is parsed incorrectly.

rjthibod
Champion

You could try the simple boolean check of isint()

index=nf_index source=/appl/in_house/batch/AS*
| multikv 
| stats count by "ACCESS CODE"
| where isint("ACCESS CODE")
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...