Hello Splunk experts,
I'm trying to figure out a better way to handle the large number of case statements that I would need to null out values across my fields when the value stored = 001. I'm currently doing something like what I have shown below:
searchHere
| eval field1=case(field1 == 001, null(),1=1, field1)
| eval field2=case(field2 == 001, null(),1=1, field2)
| eval field3=case(field3 == 001, null(),1=1, field3)
.... bunch more here
| stats values(*) by Key
This works as intended but compiling all these evals are a pain. I was trying to loop through all my fields* using the foreach command but I can't seem to get the fields to names to maintain their name
|foreach field* [eval <<FIELD>> = if(<<FIELD>> == 001, null(), 1=1, <<FIELD>>)]
Figured out a better way to do this using streamstats
| streamstats count as counter
| stats values(*) as * by counter
| fields - counter
Figured out a better way to do this using streamstats
| streamstats count as counter
| stats values(*) as * by counter
| fields - counter