How to exclude NULL return fields from my search?

rkaakaty · ‎05-31-2017

eventtype=qualys_vm_detection_event STATUS!="FIXED" 
| fillnull value=- PROTOCOL
| dedup 1 HOST_ID, QID, PROTOCOL, STATUS keepempty=true sortby -_time  
| stats list(HOST_ID) as HOST_ID, list(DNS) as Host_Name, list(OS), list(IP) as IP count(HOST_ID) by QID 
| rename count(HOST_ID) AS HOSTS
| lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY PATCHABLE  
| table TITLE, CATEGORY, PATCHABLE, QID, HOSTS
| sort - HOSTS
| head 10

Using TITLE=* or TITLE!="" is not returning any results at all...

nit123 · ‎07-15-2017

Does my answer above solve your question ? If yes, spare a moment to accept the answer and vote for it. Thanks.

nit123 · ‎05-31-2017

Either try from the following

a. search | where isnull()

OR

b. FieldName != ''

OR

c. len(FieldName )> 0

Option (c) works pretty good.

if this solves your prolem, spare a moment to reward points.

Thanks.

woodcock · ‎05-31-2017

You should be able to use either of these:

| search TITLE="*"

Or:

| where isnotnull(TITLE)

niketn · ‎05-31-2017

Since you are getting the TITLE field from lookup, you can add the following where clause after lookup:

   | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY PATCHABLE 
   | where isnotnull(TITLE)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn · ‎05-31-2017

@rkaakaty Please accept the answer is it has resolved your issue.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

skoelpin · ‎05-31-2017

Use this to exclude null values on your stats command

usenull=f

How to exclude NULL return fields from my search?

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...