Splunk Search

How to filter out fields from my search that contain a dash "-" as a value?

lior_g
Explorer

I'm creating a dashboard that displays event "headers" for certain events,
and a drill down search that will display the full event.

The problem is, a lot of the events come with "empty" fields - instead of being null or non existent, they have - as the value.
I would like to remove fields that only contain -, so I will be able to search | table * and receive a table that only contains fields with data.

Any ideas?

0 Karma
1 Solution

somesoni2
Revered Legend

Not sure how efficient this will be for your query, but see this runanywhere sample

| gentimes start=-4  | eval Somesh="-" | table [| gentimes start=-4  | eval Somesh="-" | fieldsummary | search values!="[{\"value\":\"-\",*" | stats values(field) as search  delim="," | nomv search]

View solution in original post

somesoni2
Revered Legend

Not sure how efficient this will be for your query, but see this runanywhere sample

| gentimes start=-4  | eval Somesh="-" | table [| gentimes start=-4  | eval Somesh="-" | fieldsummary | search values!="[{\"value\":\"-\",*" | stats values(field) as search  delim="," | nomv search]

lior_g
Explorer

This does the trick, I wasn't aware that you can put a sub query after table.

0 Karma

javiergn
SplunkTrust
SplunkTrust

Try appending this before the table:

| query
| search NOT yourfieldname="-"
| table *

If that's not exactly what you are looking for please give us an example and ideally post the query here.

0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...