Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to remove your own searches

chungmp
New Member
‎06-09-2014 08:37 AM

I am creating a dashboard for failed login, however, in the table created, there will be rows with all "" as values- How can I eliminate them? I have tried | fillnull value=("NA" OR "") but didn't work.

dproc=sshd categoryOutcome=/Fail* (src=* OR shost=* OR dvc=* OR dvchost=* OR suser=* OR duser=* OR msg=*)| table _time src shost dvc dvchost suser duser msg
| fillnull value="NA"
|top 20 _time src shost dvc dvchost suser duser msg

Tags (2)
0 Karma
Reply

rsennett_splunk
Splunk Employee
Splunk Employee
‎06-09-2014 10:17 AM

It looks like you've asked the question twice. Is this the same issue: Is this the same question as http://answers.splunk.com/answers/139062/creating-dashboardtables ?

In the other question you mention that there are multiple sources coming in via syslog.
What you might want to do, in order to more easily and clearly be able to form your searches (and trust the outcome) is to break out the various data types into separate sourcetypes, and normalize your fieldnames.

You can see an example of how that's done with props.conf and transforms.conf if you pick apart the TA for ASA http://apps.splunk.com/app/1620/


Once you have normalized your fieldnames (using FIELDALIAS) you might also want to do things like use FIELD="" that will tell you whether it exists and has a value. NOT FIELD="" will let you look at all the events where that field doesn't exist.

That's going to help you figure out your approach.

It's still a bit unclear as to why you have entitled this "Remove Own Searches".

Are you thinking that the results or evals or something from a previous search are crossing over here? That's not going to happen unless you did a field extraction and saved it...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...