Remove null values from aggregated table visualization

Hi all,
I have a simple visualization issue in Kibana that i suspect it's harder to fix than i thought, here is my situation:
I have an index where the docs have different fields, however one of this field is common for all the docs. When in "Visualize" I create a simple table view aggregated for this common field I have my desired visualization; however when I request the top values for some other field I need, I obtain an hyphen ("-") value for the docs where this field is not present:
aggregate

Now this would not be a problem if only for the fact that this null value is counted against the size limit of the aggregation, so to include all the values i want I have to raise a lot its limits and, even in this case, the visual output is a confused mess of commas and hyphens.

Is there a way to easily filter out the null values or have I to create a filter for each "top hit" aggregation? Bear in mind that i cannot filter the whole visualization because the fields I want can pop out in any doc (they are extracted using kv in logstash so i have no idea on how many they are or which docs contains them, the common filed is my only guide here).

In Splunk you can use the command "|where isnotnull(field) "and call it a day, but is there something similar in ELK?

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.