Splunk Search

How to exclude null field values from search results?

Communicator

Below are the log events I have, where one event has two savedsearch_name fields with two values "Apache_Monitor" and other is "" empty.
And other event has only one savedsearch_name

Audit:[timestamp=xx-xx-xxxx xx:xx:xx.xxx, id=xxxxx, user=admin, action=search, info=granted , search_id='xxxxxxxx',  index=summary `savedsearch_name`="Apache_Monitor"', enable_lookups='1', extra_fields='*', `savedsearch_name`=""]

Audit:[timestamp=xx-xx-xxxx xx:xx:xx.xxx, id=xxxxx, user=admin, action=search, info=granted , search_id='xxxxxxxx',  index=summary `savedsearch_name`="Apache_Monitor"']

I want to look only for one field one value (2nd event). So I tried to use NOT condition to get rid of two same field events (1st event)

index=_audit action="search" (savedsearch_name="Apache_Monitor") NOT (savedsearch_name="")  search=* NOT "typeahead" NOT metadata NOT "|history" NOT "AUTOSUMMARY"

But It doesn't work, How to exclude the events which has no value ?

0 Karma
1 Solution

Revered Legend

Try this

index=_audit action="search" (savedsearch_name="Apache_Monitor") NOT ("savedsearch_name*savedsearch_name")  search=* NOT "typeahead" NOT metadata NOT "|history" NOT "AUTOSUMMARY"

Updated

index=_audit action="search" (savedsearch_name="Apache_Monitor")  search=* NOT "typeahead" NOT metadata NOT "|history" NOT "AUTOSUMMARY" | rex max_match=2 "(?<noOfSavedSearch>savedsearch_name)" | where mvcount(noOfSavedSearch)=1

View solution in original post

Splunk Employee
Splunk Employee

So the following will work and/or provide pointers how to do this.

index="462049" 
| rex field=_raw ".*`savedsearch_name`.*`savedsearch_name`=\"(?<savedsearch_name_second>)\".*" 
| eval savedsearch_name_second_is_blank=if(savedsearch_name_second="",1,0) 
| where savedsearch_name_second_is_blank = 0

So the trick is to use regex to find a second savedsearch_name by looking directly against the _raw event field. Then apply additional logic against this field.

0 Karma

Revered Legend

Try this

index=_audit action="search" (savedsearch_name="Apache_Monitor") NOT ("savedsearch_name*savedsearch_name")  search=* NOT "typeahead" NOT metadata NOT "|history" NOT "AUTOSUMMARY"

Updated

index=_audit action="search" (savedsearch_name="Apache_Monitor")  search=* NOT "typeahead" NOT metadata NOT "|history" NOT "AUTOSUMMARY" | rex max_match=2 "(?<noOfSavedSearch>savedsearch_name)" | where mvcount(noOfSavedSearch)=1

View solution in original post

Communicator

Still I am seeing two same fields in one event. Is it not possible to eliminate the events which has two same field ?

0 Karma

Communicator

Updated one works perfectly, you successfully removed the two same field events. thanks

0 Karma

Revered Legend

Give the updated answer a try.

0 Karma

Splunk Employee
Splunk Employee

So a few further questions for clarification -

  • Can savedsearch_name appear more than twice?
  • Can both savedsearch_names be empty?
  • Are the only events you want exclude are match on first and nothing on second? ( So nothing on first and match on second is allowed )
0 Karma

Communicator
  • no
  • no
  • yes
0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!