Not displaying key with no value

mark112 · ‎06-17-2013

I am writing to ask a question, which is probably an easy one. I am curious, how would you search for all occurances of a key in a particular index, while excluding identified keys that contain no value. For example, if I wanted to table all the keys named target_keys in the index, target_index, I may use the following search:

index = target_index | table target_keys

This would produce a table of all the key value pairs for target_keys. But How would I exclude the table command returning target_keys occurances that contain no value? Or that contain a specific value for which I am trying to exclude from the table?

Thanks in advance for any assistance!

mark112 · ‎06-17-2013

I will test this. Thank you, VERY much

lguinn2 · ‎06-17-2013

Here are a few ideas

index=target_index | where isnull(target_key) | table target_keys

or

index=target_index | where isnotnull(target_key) | table target_keys

or

index=target_index target_key="goodvalue" | table target_keys

or

index=target_index NOT target_key="badvalue" | table target_keys

Not displaying key with no value

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

Not displaying key with no value

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases