Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to remove empty fields?

Siddharthnegi
Communicator
‎12-13-2023 01:42 AM

| table Status, timeval, CompanyCode, CN
|appendpipe [stats count| eval error="thats not cool" | where count==0 |table error |fields - Status, timeval, CompanyCode, CN]

these are the last two lines of a search , so in this search if in fields (Status, timeval, CompanyCode, CN) there is no values or the all the fields are empty then i have to display a message which in this case is "thats not cool"
, it is working but in the result as you can see all the empty fields are also displaying in the result . But I want only the error field if other fields are empty. Can anyone help?

Siddharthnegi_0-1702460432617.png

 

Labels (1)
Labels
0 Karma
Reply

glc_slash_it
Path Finder
‎12-13-2023 05:54 AM

Hi,

I think you could use something like this instead:

https://community.splunk.com/t5/Splunk-Search/Removing-all-null-columns-from-stats-table/m-p/566579

 

------------
If this was helpful, some karma would be appreciated.

Reply

Siddharthnegi
Communicator
‎12-13-2023 08:40 AM


Thanks for the reply but my problem is little different my search has table command before using appendpipe for displaying scustom message , and now the problem is if table is empty it should display only custom message but it is showing empty table plus the message  like image below. 


Siddharthnegi_0-1702485565674.png

 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎12-13-2023 02:09 PM

You can use the @PickleRick solution just by adding his code after your appendpipe, but if you normally have a LOT of rows then the transpose and row processing may be very quite heavy.

There is an alternate solution, not sure how this will perform with a large result set and how it differs to the other one.

your base search with results...
| appendpipe [
 | stats count | where count=0
 | eval error="None"
 | fields - count
 ]
``` Rename all fields to X_* ```
| rename * as X_*
``` Now move those fields to the real name if it's not null ```
| foreach X_* [ eval "<<MATCHSTR>>"=if(isnull(<<FIELD>>), null(), <<FIELD>>) ]
``` and remove all the original X_ fields, so that non-null fields remain ```
| fields - X_*

With Splunk there is often more than one way to solve a problem 😁

Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-13-2023 08:56 AM

Hi

Why you cannot/don't want to use @glc_slash_it & @PickleRick answer? At least with test data it seems to work. You could test it like 

<your basesearch OR | makeresults>
| table Status, timeval, CompanyCode, CN 
| appendpipe 
    [ stats count 
    | eval error="thats not cool" 
    | where count==0 
    | table error 
    | fields - Status, timeval, CompanyCode, CN] 
| transpose 0 
| eval allnulls=1 
| foreach row* 
    [ eval allnulls=if(isnull('<<FIELD>>'),allnulls,0) ] 
| where allnulls=0 
| fields - allnulls 
| transpose 0 header_field=column 
| fields - column

r. Ismo 

Reply

Siddharthnegi
Communicator
‎12-14-2023 03:22 AM

thanks this solution is working for some test cases.
in other test case

Siddharthnegi_0-1702552868954.png

like in this one count field is zero , so i want custom message if count field is zero , any suggestions.

0 Karma
Reply

Siddharthnegi
Communicator
‎12-13-2023 09:37 PM

just a small question what will come in <<FIELD>> ?

 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎12-13-2023 10:15 PM

Check out the docs for foreach

https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/foreach

The <<FIELD>> template is replaced with the value of the field being iterated through. In your context, it is the value of the row* field being evaluated.

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...