How to exclude NULL return fields from my search?

rkaakaty · ‎05-31-2017

eventtype=qualys_vm_detection_event STATUS!="FIXED" 
| fillnull value=- PROTOCOL
| dedup 1 HOST_ID, QID, PROTOCOL, STATUS keepempty=true sortby -_time  
| stats list(HOST_ID) as HOST_ID, list(DNS) as Host_Name, list(OS), list(IP) as IP count(HOST_ID) by QID 
| rename count(HOST_ID) AS HOSTS
| lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY PATCHABLE  
| table TITLE, CATEGORY, PATCHABLE, QID, HOSTS
| sort - HOSTS
| head 10

Using TITLE=* or TITLE!="" is not returning any results at all...

nit123 · ‎07-15-2017

Does my answer above solve your question ? If yes, spare a moment to accept the answer and vote for it. Thanks.

nit123 · ‎05-31-2017

Either try from the following

a. search | where isnull()

OR

b. FieldName != ''

OR

c. len(FieldName )> 0

Option (c) works pretty good.

if this solves your prolem, spare a moment to reward points.

Thanks.

woodcock · ‎05-31-2017

You should be able to use either of these:

| search TITLE="*"

Or:

| where isnotnull(TITLE)

niketn · ‎05-31-2017

Since you are getting the TITLE field from lookup, you can add the following where clause after lookup:

   | lookup qualys_kb_lookup QID OUTPUT TITLE SEVERITY PATCHABLE 
   | where isnotnull(TITLE)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn · ‎05-31-2017

@rkaakaty Please accept the answer is it has resolved your issue.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

skoelpin · ‎05-31-2017

Use this to exclude null values on your stats command

usenull=f

How to exclude NULL return fields from my search?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!