Solved: How can I remove a events from a search table

vino06 · ‎07-12-2017

Hi Guys,

Good Day!

Just want to ask on how can I remove YYYYMMDD HH24:MI:SS") event on my search table. Here is my search and the result.

index=nf_index source=/appl/in_house/batch/AS*
| multikv
| stats count by "ACCESS CODE"

s2_splunk · ‎07-12-2017

index=nf_index source=/appl/in_house/batch/AS* 
 NOT "ACCESS CODE"="YYYYMMDD*"
| multikv 
| stats count by "ACCESS CODE"

Or you could fix your data onboarding and don't index those events, because it seems these values are the result of something that is parsed incorrectly.

View solution in original post

s2_splunk · ‎07-12-2017

index=nf_index source=/appl/in_house/batch/AS* 
 NOT "ACCESS CODE"="YYYYMMDD*"
| multikv 
| stats count by "ACCESS CODE"

Or you could fix your data onboarding and don't index those events, because it seems these values are the result of something that is parsed incorrectly.

rjthibod · ‎07-12-2017

You could try the simple boolean check of isint()

index=nf_index source=/appl/in_house/batch/AS*
| multikv 
| stats count by "ACCESS CODE"
| where isint("ACCESS CODE")

How can I remove a events from a search table

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio