Splunk Search

How to search partial field names and exclude events that contain no value

ganon640
New Member

Hi,
I want my search to only return events that have field names matching Feature.Flags*
My data currently has the below field names but more and more feature flags will be released over time so I don't want to hard code them into the search.

Feature.Flags.1
Feature.Flags.2
Feature.Flags.3

How can I construct a search to only return events that contain any of these Feature.Flags* Field names but to exclude any events when all matching Feature.Flags fields have no value?

e.g. Only return Event 1 and 3 below
Event 1
Feature.Flags.1 = True
Feature.Flags.2 = ""
Feature.Flags.3 = False

Event 2 (All Fields have no value so exclude this from the search)
Feature.Flags.1 = ""
Feature.Flags.2 = ""
Feature.Flags.3 = ""

Event 3
Feature.Flags.1 = False
Feature.Flags.2 = False
Feature.Flags.3 = False

I've tried different things but can't get it to work. For example the below returns all events in a table but unfortunately it includes Events where all Feature.Flags* fields have empty values

table host Feature.Flags*

I also tried the below but it just returned all entries with HostFlags set to False and none set to True

eval HostFlags="" | foreach "Feature.Flags"* [eval HostFlags='<<FIELD>>'] | search HostFlags=*
| table host Feature.Flags*
0 Karma
1 Solution

amitm05
Builder

ganon640

Try this -

| makeresults | eval  Feature.Flags.1 = "True", Feature.Flags.2 = "abc", Feature.Flags.3 = "xyz" | eval HostFlags="" | foreach "Feature.Flags"* [eval HostFlags='<<FIELD>>'] | where HostFlags!="" | table Feature.Flags*

And

| makeresults | eval  Feature.Flags.1 = "True", Feature.Flags.2 = "abc", Feature.Flags.3 = "" | eval HostFlags="" | foreach "Feature.Flags"* [eval HostFlags='<<FIELD>>'] | where HostFlags!="" | table Feature.Flags*

The first one will give you result and the second one will not. Which is what your criteria is.
Let me know. Thanks

View solution in original post

0 Karma

amitm05
Builder

ganon640

Try this -

| makeresults | eval  Feature.Flags.1 = "True", Feature.Flags.2 = "abc", Feature.Flags.3 = "xyz" | eval HostFlags="" | foreach "Feature.Flags"* [eval HostFlags='<<FIELD>>'] | where HostFlags!="" | table Feature.Flags*

And

| makeresults | eval  Feature.Flags.1 = "True", Feature.Flags.2 = "abc", Feature.Flags.3 = "" | eval HostFlags="" | foreach "Feature.Flags"* [eval HostFlags='<<FIELD>>'] | where HostFlags!="" | table Feature.Flags*

The first one will give you result and the second one will not. Which is what your criteria is.
Let me know. Thanks

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...