Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to exclude NULL return fields from my search?

rkaakaty
Path Finder
‎05-31-2017 08:30 AM 
eventtype=qualys_vm_detection_event STATUS!="FIXED" 
| fillnull value=- PROTOCOL
| dedup 1 HOST_ID, QID, PROTOCOL, STATUS keepempty=true sortby -_time  
| stats list(HOST_ID) as HOST_ID, list(DNS) as Host_Name, list(OS), list(IP) as IP count(HOST_ID) by QID 
| rename count(HOST_ID) AS HOSTS
| lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY PATCHABLE  
| table TITLE, CATEGORY, PATCHABLE, QID, HOSTS
| sort - HOSTS
| head 10

Using TITLE=* or TITLE!="" is not returning any results at all...

Reply

nit123
Path Finder
‎07-15-2017 06:43 AM

Does my answer above solve your question ? If yes, spare a moment to accept the answer and vote for it. Thanks.

0 Karma
Reply

nit123
Path Finder
‎05-31-2017 10:57 PM

Either try from the following

a. search | where isnull()

OR

b. FieldName != ''

OR

c. len(FieldName )> 0

Option (c) works pretty good.

if this solves your prolem, spare a moment to reward points.

Thanks.

0 Karma
Reply

woodcock
Esteemed Legend
‎05-31-2017 08:58 AM

You should be able to use either of these:

| search TITLE="*"

Or:

| where isnotnull(TITLE)
Reply

niketn
Legend
‎05-31-2017 08:57 AM

Since you are getting the TITLE field from lookup, you can add the following where clause after lookup:

   | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY PATCHABLE 
   | where isnotnull(TITLE)
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

niketn
Legend
‎05-31-2017 09:34 PM

@rkaakaty Please accept the answer is it has resolved your issue.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎05-31-2017 08:50 AM

Use this to exclude null values on your stats command

usenull=f

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...