Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Remove rows with NULL from final search output

gingyish
New Member
‎01-10-2018 05:11 PM

My working query returns a table with some NULL fields. This is because the query match the initial result with a lookup table.

How can I remove exclude all entries with atleast 1 NULL field from the final table?

Working Code: 

   sourcetype="WinEventLog:ForwardedEvents"  EventCode=XXX field46="*" | rex field=field46 "(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:)(?<ports>\d+)\s+\w+\W(?<Account>.*)" | dedup ip Account| stats values(ip) as Source_IP dc(ip) as count by Account| sort count desc | table Account count | head 100 | lookup GenericAccountDumpList Account OUTPUTNEW Column1 Column2 Column3

Result 

Account      Count       Column1  Column2  Column3 
Anna           100           abc            cde            efg 
Brad           9             xyz            jjj             jlm
Terry          71            qyn            jjj             jlm
Andy           78            qyn                                     -> must be excluded, some columns are NULL / empty 
Maria          30                                                       -> must be excluded, some columns are NULL / empty
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎01-10-2018 05:43 PM

If field names are fixed

(your search)|search Column1=*  Column2=*  Column3=*

View solution in original post

Reply
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎01-10-2018 05:43 PM

If field names are fixed

(your search)|search Column1=*  Column2=*  Column3=*
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...