Selecting all non null fields from

nisha_kapoor · ‎07-08-2017

I am trying to display only those fields which contain a non null value. What is wrong with this command to achieve my purpose?

index="test" | fields -isnull(*)

It simply displays my data as a raw csv record, whereas what I want it to get all those fieldnames which are not "".

DalJeanis · ‎07-08-2017

fields doesn't display anything, it just eliminates whatever isn't named.

This sequence will kill all variables that have only null values in all records...

| rename _time as temptime
| streamstats count as recno
| untable recno field value
| xyseries recno field value
| rename temptime as _time

You will have to use the rename before-and-after sequence on any internal fields starting with _ that you want to retain.

woodcock · ‎07-08-2017

Do this:

index="test" | stats values(*) AS * BY _serial

I am pretty sure that you will be unhappy with the results because I am quite certain that what you asked is not what you are really trying to do.

nisha_kapoor · ‎07-08-2017

Thank you for your reply, what I want is a list of fields having at least one non-null value. In other words, I want to eliminate the fields having null values for all records.

niketn · ‎07-09-2017

" I want to eliminate the fields having null values for all records."

-- If you put a field in table and all the field values are null then the field will anyways be removed from being displayed. Please add some sample data with example of what is being displayed vs what is it that you want.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Selecting all non null fields from

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms