Splunk Search

How to filter out fields from my search that contain a dash "-" as a value?

lior_g
Explorer

I'm creating a dashboard that displays event "headers" for certain events,
and a drill down search that will display the full event.

The problem is, a lot of the events come with "empty" fields - instead of being null or non existent, they have - as the value.
I would like to remove fields that only contain -, so I will be able to search | table * and receive a table that only contains fields with data.

Any ideas?

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Not sure how efficient this will be for your query, but see this runanywhere sample

| gentimes start=-4  | eval Somesh="-" | table [| gentimes start=-4  | eval Somesh="-" | fieldsummary | search values!="[{\"value\":\"-\",*" | stats values(field) as search  delim="," | nomv search]

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Not sure how efficient this will be for your query, but see this runanywhere sample

| gentimes start=-4  | eval Somesh="-" | table [| gentimes start=-4  | eval Somesh="-" | fieldsummary | search values!="[{\"value\":\"-\",*" | stats values(field) as search  delim="," | nomv search]

lior_g
Explorer

This does the trick, I wasn't aware that you can put a sub query after table.

0 Karma

javiergn
SplunkTrust
SplunkTrust

Try appending this before the table:

| query
| search NOT yourfieldname="-"
| table *

If that's not exactly what you are looking for please give us an example and ideally post the query here.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...