- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- how to hide an emtpy value field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to hide an emtpy value field
dear all :
I have some firewall logs. I need to extract the newly added ACL rules from it. I used basic searches to filter out the logs non-ALC.
index=top_firewall firewall policy add
I find that the values of some fields are empty after I extract the fields.
all fields in the log:
srcarea、srcvlan、srcrole、dstarea、dstvaln、src、dst、service、sport、dport、orig-dst、schedule
That's because sometimes network administrator will only input a source IP, a destination IP and a destination port when they add ACL rules. So you can see in the log that all fields except src dst dport are empty.
but sometime they input a source area or source vlan. If so, the fields SRC and DST will be empty.
so I want to show the result in the way of table, Is there a way to dynamically display a field, if the field is empty, hide it, and if the value of the field is not empty, it displays it?
all help will be appreciated
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want to eliminate all columns that have no data in the column, then you can use something like this...
your search that gets the data
| fields ... list all the fields you might be interested in ...
| rename COMMENT as "assign each record a unique record number, then break it down into one record per field on each record"
| streamstats count as recno
| untable recno fieldname fieldvalue
| where isnotnull(fieldvalue)
| rename COMMENT as "put each record back together"
| xyseries recno fieldname fieldvalue
You can use whatever criteria you want to get rid of individual fields, where the isnotnull(fieldvalue) is.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have not given us enough detail as to what "empty" and "hide" mean. There are MANY ways to do this, depending on what you really mean/need.
You can determine "empty" with if(len(field)==0) or isnull(field). You can use fillnull field value="empty" or eval field=coalesce(field, "empty") to give it a value that prints so that it won't disappear. Be more specific and show your existing SPL and outputs with a mockup of desired output and you will get better answers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@bestSplunker,
If you are not concerned about the field name, we can do that by
index=top_firewall firewall policy add|eval source=coalesce(src,srcarea,srcvlan,srcrole),dest=coalesce(dst,dstarea,dstvaln),port=coalesce(sport,dport)
coalesce will return the first non null value
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There's a couple of ways to go about this depending on how you want to view the data.
If you simply want to only show results from a field that are not null it's as simple as:
index=your_index field!="NULL"
Another way is
index=your_index field="*"
However if you're trying to make a table that won't work for you, you can use fillnull to change the value to empty
| fillnull value="empty" field1
For multiple fields you have to do multiple fillnull statements such as:
| fillnull value="empty" field1
| fillnull value="empty" field2
| fillnull value="empty" field3
Then once you have that you can filter based on the value of empty in that field.
Does that help? Or could you give a bit more detail on what you're trying to do.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
