Re: Filtering out header-only "events" after using...

FunPolice · ‎11-26-2010

I've been tweaking the *NIX app by adding some charts with queries such as:

index="os" sourcetype="who" host=$host$ | multikv | timechart count by USERNAME

The resulting chart has a large number of events where the USERNAME is NULL. This appears to be because the MultiKV command only filters out the header when there is a body in the event. If the "who" event only contains a header the MultiKV leaves it in the result set as an event.

What is the best way to get rid of these unwanted header "events"? I would prefer to index them, as then there is a contiguous record from the who script. I could use

index="os" sourcetype="who" | multikv | search _raw!="*USERNAME        LINE        HOSTNAME                                  TIME*"

however there are likely many other similar situations so a more generic solution would be helpful.

Is there a better way?

Thanks.

FunPolice · ‎05-23-2011

I've upgraded to 4.2 and will try again with the universal forwarder as soon as I get a chance. Stay tuned!

gkanapathy · ‎11-29-2010

I just don't get this behavior. multikv for me simply doesn't return the header rows, so I don't get this problem.

Ledion_Bitincka · ‎11-27-2010

a slightly better approach would be:

index="os" sourcetype="who" host=$host$ | multikv | search USERNAME=* | timechart count by USERNAME

basically filter out all results that are missing the USERNAME field

Filtering out header-only "events" after using MultiKV

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases