I am creating a dashboard for failed login, however, in the table created, there will be rows with all "" as values- How can I eliminate them? I have tried | fillnull value=("NA" OR "") but didn't work.
dproc=sshd categoryOutcome=/Fail* (src=* OR shost=* OR dvc=* OR dvchost=* OR suser=* OR duser=* OR msg=*)| table _time src shost dvc dvchost suser duser msg
| fillnull value="NA"
|top 20 _time src shost dvc dvchost suser duser msg
It looks like you've asked the question twice. Is this the same issue: Is this the same question as http://answers.splunk.com/answers/139062/creating-dashboardtables ?
In the other question you mention that there are multiple sources coming in via syslog.
What you might want to do, in order to more easily and clearly be able to form your searches (and trust the outcome) is to break out the various data types into separate sourcetypes, and normalize your fieldnames.
You can see an example of how that's done with props.conf and transforms.conf if you pick apart the TA for ASA http://apps.splunk.com/app/1620/
Once you have normalized your fieldnames (using FIELDALIAS) you might also want to do things like use FIELD="" that will tell you whether it exists and has a value. NOT FIELD="" will let you look at all the events where that field doesn't exist.
That's going to help you figure out your approach.
It's still a bit unclear as to why you have entitled this "Remove Own Searches".
Are you thinking that the results or evals or something from a previous search are crossing over here? That's not going to happen unless you did a field extraction and saved it...