In my case, I needed to use rex to extract a “message” field that may or may not be present in an event, but if it was it could be really dirty (since it’s user-generated text). However, rex has the side effect of *always* creating the field you specify, even if there is no actual match in the event. As a result, every search had that rex-extracted field name, which was not desired (and confusing to see a blank “message” field for, say telemetry events).
Create a new field set to the value of the field you may want to get rid of then get rid of the original field, e.g.
say the field in question is named “possiblynull”
| eval maybenull=possiblynull
| fields – possiblynull
| rename maybenull as possiblynull
This way, if the original field is actually empty, your search results will not end up with it present.
A few Splunk Answers related to this scenario:
No comments:
Post a Comment