eventtype=qualys_vm_detection_event STATUS!="FIXED"
| fillnull value=- PROTOCOL
| dedup 1 HOST_ID, QID, PROTOCOL, STATUS keepempty=true sortby -_time
| stats list(HOST_ID) as HOST_ID, list(DNS) as Host_Name, list(OS), list(IP) as IP count(HOST_ID) by QID
| rename count(HOST_ID) AS HOSTS
| lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY PATCHABLE
| table TITLE, CATEGORY, PATCHABLE, QID, HOSTS
| sort - HOSTS
| head 10
Using TITLE=*
or TITLE!=""
is not returning any results at all...
Does my answer above solve your question ? If yes, spare a moment to accept the answer and vote for it. Thanks.
Either try from the following
a. search | where isnull()
OR
b. FieldName != ''
OR
c. len(FieldName )> 0
Option (c) works pretty good.
if this solves your prolem, spare a moment to reward points.
Thanks.
You should be able to use either of these:
| search TITLE="*"
Or:
| where isnotnull(TITLE)
Since you are getting the TITLE field from lookup, you can add the following where clause after lookup:
| lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY PATCHABLE
| where isnotnull(TITLE)
@rkaakaty Please accept the answer is it has resolved your issue.
Use this to exclude null values on your stats command
usenull=f