Re: Exclude Null in subsearch

rajkskumar · ‎09-30-2020

I have the following query used to build a chart. Sometimes, the incoming events do not have the fields set. How could these events with null could be excluded in a Subsearch?

index=prod
| search processRelevantFields.processName="SessionExecution"|search prod.customerId=* prod.productId=*
| timechart dc(customer.ciamId) as "Active Users"

I have tried with "search <fieldName> =*" as given above. But this is not working. Please guide on how this could be implemented?

ITWhisperer · ‎09-30-2020

In what way is it not working?

Have you tried including the filters on the main search?

index=prod processRelevantFields.processName="SessionExecution" prod.customerId=* prod.productId=*
| timechart dc(customer.ciamId) as "Active Users"

rajkskumar · ‎09-30-2020

The Main search is a complex base search query. The Subsearch is used to filter out the elements for this specific chart.

The result includes events which has null fields

ITWhisperer · ‎09-30-2020

OK try putting the field names containing dots in single quotes

index=prod
| search 'processRelevantFields.processName'="SessionExecution"|search 'prod.customerId'=* 'prod.productId'=*
| timechart dc(customer.ciamId) as "Active Users"

isoutamo · ‎09-30-2020

Hi
even this is old post it describes when to use search and when to use where and what are differences between those.
https://community.splunk.com/t5/Splunk-Search/Help-understanding-the-commands-Search-vs-Where-after-...
There are quite many other posts about the same thing. I propose that you will read those and look if those helps you.
r. Ismo

Exclude Null in subsearch

timechart

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!