Solved: If I have missing data from a table, the whole lis...

IRHM73 · ‎09-30-2015

Hi, I wonder whether someone may be able to help me please.

I'm using the search below to produce data in the following format

First Name
Surname
DOB
NINO
SUT

auditSource="matching" auditType="Tx*" detail.input-ida-request="*" | rex field="detail.output-cid-response" "\"firstName\":\"(?<cidFName>[^\"]+)" |  rex field="detail.output-cid-response" "\"lastName\":\"(?<cidSName>[^\"]+)" |rex field="detail.output-cid-response" "\"dateOfBirth\":\"(?<cidDOB>[^\"]+)" | rex field="detail.output-cid-response" "\"sut\":\"(?<cidSUT>[^\"]+)" | rex field="detail.output-cid-response" "\"nino\":\"(?<cidNINO>[^\"]+)" | eval Full_Details= "Firstname: ".cidFName.", Surname: ".cidSName.", DOB: ".cidDOB.", NINO: ".cidNINO.", SUT: ".cidSUT | makemv delim=", " Full_Details | table detail.output-cid-response Full_Details

The problem I have is that if there is one piece of information missing from the source data, the whole list fails to display.

Could someone tell me please, is there a way to overcome this?

Many thanks and kind regards

Chris

IRHM73 · ‎10-01-2015

All,

For those of you who are interested, I found a solution here where I used Example 2 .

Kind Regards

Chris

View solution in original post

IRHM73 · ‎10-01-2015

All,

For those of you who are interested, I found a solution here where I used Example 2 .

Kind Regards

Chris

MuS · ‎10-01-2015

You should provide a sample of your events; best to include good and bad examples 😉

IRHM73 · ‎10-01-2015

Hi @MuS, thank you for taking the time to come back to me with this.

I've continued to work on this, and it may not be the best way, but I found a solution here where I used Example 2.

Many thanks and kind regards

If I have missing data from a table, the whole list fails to display. How do work around this issue?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!