I am trying to display only those fields which contain a non null value. What is wrong with this command to achieve my purpose?
index="test" | fields -isnull(*)
It simply displays my data as a raw csv record, whereas what I want it to get all those fieldnames which are not "".
fields
doesn't display anything, it just eliminates whatever isn't named.
This sequence will kill all variables that have only null values in all records...
| rename _time as temptime
| streamstats count as recno
| untable recno field value
| xyseries recno field value
| rename temptime as _time
You will have to use the rename
before-and-after sequence on any internal fields starting with _
that you want to retain.
Do this:
index="test" | stats values(*) AS * BY _serial
I am pretty sure that you will be unhappy with the results because I am quite certain that what you asked is not what you are really trying to do.
Thank you for your reply, what I want is a list of fields having at least one non-null value. In other words, I want to eliminate the fields having null values for all records.
" I want to eliminate the fields having null values for all records."
-- If you put a field in table and all the field values are null then the field will anyways be removed from being displayed. Please add some sample data with example of what is being displayed vs what is it that you want.