My working query returns a table with some NULL fields. This is because the query match the initial result with a lookup table.
How can I remove exclude all entries with atleast 1 NULL field from the final table?
Working Code:
sourcetype="WinEventLog:ForwardedEvents" EventCode=XXX field46="*" | rex field=field46 "(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:)(?<ports>\d+)\s+\w+\W(?<Account>.*)" | dedup ip Account| stats values(ip) as Source_IP dc(ip) as count by Account| sort count desc | table Account count | head 100 | lookup GenericAccountDumpList Account OUTPUTNEW Column1 Column2 Column3
Result
Account Count Column1 Column2 Column3
Anna 100 abc cde efg
Brad 9 xyz jjj jlm
Terry 71 qyn jjj jlm
Andy 78 qyn -> must be excluded, some columns are NULL / empty
Maria 30 -> must be excluded, some columns are NULL / empty
If field names are fixed
(your search)|search Column1=* Column2=* Column3=*
If field names are fixed
(your search)|search Column1=* Column2=* Column3=*