Solved: Remove rows with NULL from final search output

gingyish · ‎01-10-2018

My working query returns a table with some NULL fields. This is because the query match the initial result with a lookup table.

How can I remove exclude all entries with atleast 1 NULL field from the final table?

Working Code:

   sourcetype="WinEventLog:ForwardedEvents"  EventCode=XXX field46="*" | rex field=field46 "(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:)(?<ports>\d+)\s+\w+\W(?<Account>.*)" | dedup ip Account| stats values(ip) as Source_IP dc(ip) as count by Account| sort count desc | table Account count | head 100 | lookup GenericAccountDumpList Account OUTPUTNEW Column1 Column2 Column3

Result

Account      Count       Column1  Column2  Column3 
Anna           100           abc            cde            efg 
Brad           9             xyz            jjj             jlm
Terry          71            qyn            jjj             jlm
Andy           78            qyn                                     -> must be excluded, some columns are NULL / empty 
Maria          30                                                       -> must be excluded, some columns are NULL / empty

HiroshiSatoh · ‎01-10-2018

If field names are fixed

(your search)|search Column1=*  Column2=*  Column3=*

View solution in original post

HiroshiSatoh · ‎01-10-2018

If field names are fixed

(your search)|search Column1=*  Column2=*  Column3=*

Remove rows with NULL from final search output

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Join the Conversation

Remove rows with NULL from final search output

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?