Splunk Search

How to make a table containing columns with non-empty values (or other criteria) from non-indexed data?

halr9000
Motivator

I'm doing this REST call to query the system for modular inputs:

| rest /services/data/modular-inputs | table title description

Before running this through the table command, the output was extremely wide because of the way this particular data has fields broken out. My ideal end goal is something like "make me a table of arbitrary REST command output but only include fields which are in every event". I started thinking how to do this with the metadata command when I realized that there is no index metadata to query as this data isn't indexed. Now, I'm out of ideas. TIA

Tags (3)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

One more workaround

| rest /services/data/modular-inputs  | table [| rest /services/data/modular-inputs | fieldsummary  maxvals=1| eventstats max(count) as max | where count=max | table field | eval field=field."," | mvcombine field | nomv field | rename field as search]

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

One more workaround

| rest /services/data/modular-inputs  | table [| rest /services/data/modular-inputs | fieldsummary  maxvals=1| eventstats max(count) as max | where count=max | table field | eval field=field."," | mvcombine field | nomv field | rename field as search]

halr9000
Motivator

I like this version. It comes out close to 50% faster in my slightly-scientific tests. Thanks!

martin_mueller
SplunkTrust
SplunkTrust

Mildly hacky, but it works:

| rest /services/data/modular-inputs | fillnull value="§%&$&ZH$%%" | untable id field value | eventstats count(eval(isnull(value) OR trim(value)="" OR value="§%&$&ZH$%%")) as nulls by field | where nulls=0 | xyseries id field value

somesoni2
SplunkTrust
SplunkTrust

Nice one!!

halr9000
Motivator

Not sure which to pick! 🙂

martin_mueller
SplunkTrust
SplunkTrust

The one that doesn't need to cheat with a subsearch of course 😛

halr9000
Motivator

I gave ya points. 🙂

Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...