topic Re: remove a blank line from a file in Splunk Search https://community.splunk.com/t5/Splunk-Search/remove-a-blank-line-from-a-file/m-p/92534#M182367 <P>This is a bit of an open-ended question, and if the following does not answer your question please provide some more details and examples.</P> <P>I suspect that you mean that if a field for a certain events contains a <CODE>NULL</CODE> value (i.e. nothing), then you would like to exclude the whole event from the results. This is easily achievable by using the <CODE>where</CODE> command and the <CODE>isnotnull()</CODE> function. For example say I have the following search and results (where the fields have already been extracted):</P> <PRE><CODE>sourcetype=myST | table field1, field2, field3 field1 | field2 | field3 foo | 1234 | qwerty bar | | ytrewq blah | 5678 | qywter </CODE></PRE> <P>And you wish to remove any row where field2 does not contain a value, you could extend the search to the following:</P> <PRE><CODE>sourcetype=myST | table field1, field2, field3 | where isnotnull(field2) </CODE></PRE> <P>Which would give the following results:</P> <PRE><CODE>foo | 1234 | qwerty blah | 5678 | qywter </CODE></PRE> <P>I hope this helps answer your question. If it does not, the following could be possible answers...</P> <P>If you mean that there are blank lines at the end of each event, or there are events with no values what so ever, you could be experiencing issues with line-breaking/event-breaking. If this is the case, you should look at the following (this will not work on historically indexed data, and may require a re-index of data):</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0/Data/Indexmulti-lineevents">http://docs.splunk.com/Documentation/Splunk/5.0/Data/Indexmulti-lineevents</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/5.0/admin/Propsconf">http://docs.splunk.com/Documentation/Splunk/5.0/admin/Propsconf</A></P> <P>If you mean that your data sources are generating blank lines/fields and you wish to exclude these events, you should probably create a script that will read through and "modify" the output to meet your requirements using logical statements and funtions that strip out white space (e.g. such as python's <CODE>strip()</CODE> function).</P> <P>For help on these points, please update your question with more details and examples</P> <P>Hope this helps.</P> <P>MHibbin</P> Wed, 17 Oct 2012 08:17:43 GMT MHibbin 2012-10-17T08:17:43Z remove a blank line from a file https://community.splunk.com/t5/Splunk-Search/remove-a-blank-line-from-a-file/m-p/92533#M182366 <P>Hi , I would like to remove a blank line from a file based on certain fields</P> <P>If that field is blank, i will remove the whole record</P> <P>Kindly help !!</P> <P>Thanks <BR /> Abhay</P> Tue, 16 Oct 2012 20:11:35 GMT https://community.splunk.com/t5/Splunk-Search/remove-a-blank-line-from-a-file/m-p/92533#M182366 abhayneilam 2012-10-16T20:11:35Z Re: remove a blank line from a file https://community.splunk.com/t5/Splunk-Search/remove-a-blank-line-from-a-file/m-p/92534#M182367 <P>This is a bit of an open-ended question, and if the following does not answer your question please provide some more details and examples.</P> <P>I suspect that you mean that if a field for a certain events contains a <CODE>NULL</CODE> value (i.e. nothing), then you would like to exclude the whole event from the results. This is easily achievable by using the <CODE>where</CODE> command and the <CODE>isnotnull()</CODE> function. For example say I have the following search and results (where the fields have already been extracted):</P> <PRE><CODE>sourcetype=myST | table field1, field2, field3 field1 | field2 | field3 foo | 1234 | qwerty bar | | ytrewq blah | 5678 | qywter </CODE></PRE> <P>And you wish to remove any row where field2 does not contain a value, you could extend the search to the following:</P> <PRE><CODE>sourcetype=myST | table field1, field2, field3 | where isnotnull(field2) </CODE></PRE> <P>Which would give the following results:</P> <PRE><CODE>foo | 1234 | qwerty blah | 5678 | qywter </CODE></PRE> <P>I hope this helps answer your question. If it does not, the following could be possible answers...</P> <P>If you mean that there are blank lines at the end of each event, or there are events with no values what so ever, you could be experiencing issues with line-breaking/event-breaking. If this is the case, you should look at the following (this will not work on historically indexed data, and may require a re-index of data):</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0/Data/Indexmulti-lineevents">http://docs.splunk.com/Documentation/Splunk/5.0/Data/Indexmulti-lineevents</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/5.0/admin/Propsconf">http://docs.splunk.com/Documentation/Splunk/5.0/admin/Propsconf</A></P> <P>If you mean that your data sources are generating blank lines/fields and you wish to exclude these events, you should probably create a script that will read through and "modify" the output to meet your requirements using logical statements and funtions that strip out white space (e.g. such as python's <CODE>strip()</CODE> function).</P> <P>For help on these points, please update your question with more details and examples</P> <P>Hope this helps.</P> <P>MHibbin</P> Wed, 17 Oct 2012 08:17:43 GMT https://community.splunk.com/t5/Splunk-Search/remove-a-blank-line-from-a-file/m-p/92534#M182367 MHibbin 2012-10-17T08:17:43Z