Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to remove your own searches

chungmp
New Member
‎06-09-2014 08:37 AM

I am creating a dashboard for failed login, however, in the table created, there will be rows with all "" as values- How can I eliminate them? I have tried | fillnull value=("NA" OR "") but didn't work.

dproc=sshd categoryOutcome=/Fail* (src=* OR shost=* OR dvc=* OR dvchost=* OR suser=* OR duser=* OR msg=*)| table _time src shost dvc dvchost suser duser msg
| fillnull value="NA"
|top 20 _time src shost dvc dvchost suser duser msg

Tags (2)
0 Karma
Reply

rsennett_splunk
Splunk Employee
Splunk Employee
‎06-09-2014 10:17 AM

It looks like you've asked the question twice. Is this the same issue: Is this the same question as http://answers.splunk.com/answers/139062/creating-dashboardtables ?

In the other question you mention that there are multiple sources coming in via syslog.
What you might want to do, in order to more easily and clearly be able to form your searches (and trust the outcome) is to break out the various data types into separate sourcetypes, and normalize your fieldnames.

You can see an example of how that's done with props.conf and transforms.conf if you pick apart the TA for ASA http://apps.splunk.com/app/1620/


Once you have normalized your fieldnames (using FIELDALIAS) you might also want to do things like use FIELD="" that will tell you whether it exists and has a value. NOT FIELD="" will let you look at all the events where that field doesn't exist.

That's going to help you figure out your approach.

It's still a bit unclear as to why you have entitled this "Remove Own Searches".

Are you thinking that the results or evals or something from a previous search are crossing over here? That's not going to happen unless you did a field extraction and saved it...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...