Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to filter row if some fields are empty?

LearningGuy
Motivator
‎11-10-2023 03:00 PM

Hello,
How to filter all row if some fields are empty, but do not filter if one of the field has value?   
I appreciate your help. Thank you

I want to filter out row, if vuln, score and company fields are empty/NULL   
(All 3 fields are empty: Row 2 and 6 in the table below)

If vuln OR company fields have values(NOT EMPTY), do not filter 
Row 4: vuln=Empty                            company=company D(NOT empty)
Row 9: vuln=vuln9(NOT empty)    company=empty

If I use the search below, it will filter out row with vuln OR company that are empty (Row 4 and Row 9)
index=testindex  vuln=* AND score=* AND company=*

Current data

noipvulnscorecompany
11.1.1.1vuln19company A
21.1.1.2   
31.1.1.3vuln39company C
41.1.1.4  company D
51.1.1.5vuln57company E
61.1.1.6   
71.1.1.7vuln75company G
81.1.1.8vuln85company H
91.1.1.9vuln9  
101.1.1.10vuln104company J

 

Expected Result: ***NEED CORRECTION***

noipvulnscorecompany
11.1.1.1vuln19company A
2FILTEREDFILTEREDFILTEREDFILTERED
31.1.1.3vuln39company C
41.1.1.4  company D
51.1.1.5vuln57company E
6FILTEREDFILTEREDFILTEREDFILTERED
71.1.1.7vuln75company G
81.1.1.8vuln85company H
91.1.1.9vuln9  
101.1.1.10vuln104company J


Sorry, This is what I mean by FILTERED

noipvulnscorecompany
11.1.1.1vuln19company A
31.1.1.3vuln39company C
41.1.1.4  company D
51.1.1.5vuln57company E
71.1.1.7vuln75company G
81.1.1.8vuln85company H
91.1.1.9vuln9  
Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-10-2023 10:56 PM

Hi @LearningGuy ,

the solution to your "Expected Result" is the one hinted by @ITWhisperer .

Instead you can have to the last table simply adding 

 

(vuln=* OR company=*)

 

to you main search.

Ciao.

Giuseppe

 

Reply

LearningGuy
Motivator
‎11-12-2023 04:08 PM

I found solution for this:

index=testindex  (vuln=* AND score=* AND company=*) OR (vuln=*) OR NOT (company="")

(vuln=* AND score=* AND company=*)   ==>   condition for vuln, score, company exists
(vuln=*)  ==> condition for only vuln exists
NOT (company="") ==> condition for only company exists         

company=*   "is equivalent with"  NOT (company="")     "is equivalent with"    isnull(company)

any idea why company=*  or isnull(company) does not work?
Thank you

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-12-2023 05:30 PM

Empty and null are different things. If the field is "" then it is not null, so I use

| where len(company)>0
Reply

LearningGuy
Motivator
‎11-13-2023 06:45 AM


Hello,
Thank you for your help.

When I use one condition, it worked

 

| where len(company)>0

 


1) but when I combined "len", it didn't work - "The search job has failed due to an error. "

 

| where isnotnull(vuln) AND isnotnull(score) AND len(company>0)

 


2) Why can't I use  len function without "where"?     
3) Can I use company=* to include "exist/non empty"?          It looks like * also didn't work

Please suggest. Thanks


0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-13-2023 06:47 AM

You have a typo

| where isnotnull(vuln) AND isnotnull(score) AND len(company) > 0
Reply

LearningGuy
Motivator
‎11-13-2023 07:28 AM

Hello,
Thanks for your correction and your help.
So this is what I am looking for:   

| where (isnotnull(vuln) AND isnotnull(score) AND len(company)>0)) OR (isnotnull(vuln)) OR len(company>0)

 Any idea why * didn't work?

It seems like "where" is faster than "search
Thank you

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-13-2023 07:46 AM

* doesn't work (as a wildcard) for where only search

Reply

LearningGuy
Motivator
‎11-10-2023 06:19 PM

Hello,
Thank you for your help.
Your answer is correct, the output literally put "FILTERED".    
Sorry if my original post is not clear. I corrected my post.

What I meant by "filtered" , completely removed like shown below:

noipvulnscorecompany
11.1.1.1vuln19company A
31.1.1.3vuln39company C
41.1.1.4  company D
51.1.1.5vuln57company E
71.1.1.7vuln75company G
81.1.1.8vuln85company H
91.1.1.9vuln9  

 

I think I figured it out
index=testindex  (vuln=* AND score=* AND company=*) OR (vuln=*) OR NOT (company="")
It's just weird that company=* does not work and I had to use NOT (company="") to filter out empty 
NOT isnull(company) also doesn't work

Please suggest.
Thanks



0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-11-2023 02:23 AM 
| where isnotnull(vuln) OR isnotnull(score) OR isnotnull(company)
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-10-2023 03:10 PM 
| eval ip=if(isnull(vuln) AND isnull(score) AND isnull(company),"FILTERED",ip)
| eval vuln=if(ip="FILTERED",ip,vuln)
| eval score=if(ip="FILTERED",ip,score)
| eval company=if(ip="FILTERED",ip,company)
Reply
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Cultivate Your Career Growth with Fresh Splunk Training

Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering.  Because we’ve ...
Top