Sometimes Splunk has extra null fields floating around (e.g., after fields nosuchfield *
). Is there a command which automatically removes fields which have only null values?
@skawasaki_splunk provided a good answer to How to only display fields with values in a table, which I adapted to my situation.
If your records have a unique Id field, then the following snippet removes null fields:
| stats values(*) as * by Id
The reason is that "stats values won't show fields that don't have at least one non-null value".
If your records don't have a unique Id field, then you should create one first using streamstats:
| streamstats count as Id | stats values(*) as * by Id
(Warning: if your data has multivalued lists, then stats values will remove duplicates and sort lexicographically.)
I had a similar issue where I was trying to display the data in a 2 column/multi-row format so I did this:
| table datafield1 datafield2 datafield3 datafield4 datafield5 ...
| transpose
| rename column as Data "row 1" as Value
| where Value NOT NULL
This gives me the ability to put in as many fields as I want (which visually is very wide), flip it (| transpose) to only give me 2 columns, and remove every row with no data (| where). Hope this helps. Thanks.
@skawasaki_splunk provided a good answer to How to only display fields with values in a table, which I adapted to my situation.
If your records have a unique Id field, then the following snippet removes null fields:
| stats values(*) as * by Id
The reason is that "stats values won't show fields that don't have at least one non-null value".
If your records don't have a unique Id field, then you should create one first using streamstats:
| streamstats count as Id | stats values(*) as * by Id
(Warning: if your data has multivalued lists, then stats values will remove duplicates and sort lexicographically.)
Using fields - nosuchfield
is not satisfactory, since I might not know what the null field names are in advance.