2017-03-21 08:18 AM
Hi All,
I am on rsa sa version 10.6.2 and recently i have observed that I am unable to filter the null values in reporting part of RSA SA.
Currently i was creating a report under Concentrator where under one column i see the column are appearing as blank.
So using null operation i tried to filter out the values where fields are appearing BLANK on execution but each time fail to filter out the null.
Need help on the same.
Concentrator rule sample used as follows:
------
device.type = 'ABC' && device.ip = 10.20.30.40 && action != 'Null'
------
Everytime it runs successful but still i see the null values are appearing in reports
2017-03-22 04:21 AM
Use - device.ip = x.x.x.x && action exists
2017-03-27 05:16 PM
If you mean Null: Non-existent value.
Use:
device.type = 'ABC' && device.ip = 10.20.30.40 && action exists
If you are using the reporting engine.
Use a then clause to filter these out:
filter_out (string filter, string field)
filter_out('null', 'action')
That should work.