Splunk Search

remove a blank line from a file

abhayneilam
Contributor

Hi , I would like to remove a blank line from a file based on certain fields

If that field is blank, i will remove the whole record

Kindly help !!

Thanks
Abhay

Tags (2)
0 Karma

MHibbin
Influencer

This is a bit of an open-ended question, and if the following does not answer your question please provide some more details and examples.

I suspect that you mean that if a field for a certain events contains a NULL value (i.e. nothing), then you would like to exclude the whole event from the results. This is easily achievable by using the where command and the isnotnull() function. For example say I have the following search and results (where the fields have already been extracted):

sourcetype=myST | table field1, field2, field3

field1 | field2 | field3
foo    |  1234  | qwerty
bar    |        | ytrewq
blah   |  5678  | qywter

And you wish to remove any row where field2 does not contain a value, you could extend the search to the following:

sourcetype=myST | table field1, field2, field3 | where isnotnull(field2)

Which would give the following results:

foo    |  1234  | qwerty
blah   |  5678  | qywter

I hope this helps answer your question. If it does not, the following could be possible answers...

If you mean that there are blank lines at the end of each event, or there are events with no values what so ever, you could be experiencing issues with line-breaking/event-breaking. If this is the case, you should look at the following (this will not work on historically indexed data, and may require a re-index of data):

http://docs.splunk.com/Documentation/Splunk/5.0/Data/Indexmulti-lineevents
http://docs.splunk.com/Documentation/Splunk/5.0/admin/Propsconf

If you mean that your data sources are generating blank lines/fields and you wish to exclude these events, you should probably create a script that will read through and "modify" the output to meet your requirements using logical statements and funtions that strip out white space (e.g. such as python's strip() function).

For help on these points, please update your question with more details and examples

Hope this helps.

MHibbin

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...