Hello, I have this query:
index=main | table sourcetype, data, context, local_endpoint, remote_endpoint
| eval Ergebnis = replace(data,"^[^\@]+","")
| search Ergebnis=*
I Need to remove the empty rows from Ergebnis field that does not have a value but it does not work!
thanks for Help 🙂
Hi
Give a try
index=main | table sourcetype, data, context, local_endpoint, remote_endpoint
| eval Ergebnis = replace(data,"^[^\@]+","")
| search Ergebnis !=""
can you try :
| fillnull value=NULL Ergebnis | search NOT Ergebnis=NULL
If this does not work, pls share sample input event and the output which you are getting. Also, put your query in 101010
sample code format. Thank you.