topic How to remove empty fields? in Splunk Search

How to remove empty fields?

Siddharthnegi — Wed, 13 Dec 2023 13:55:25 GMT

| table Status, timeval, CompanyCode, CN
|appendpipe [stats count| eval error="thats not cool" | where count==0 |table error |fields - Status, timeval, CompanyCode, CN]

these are the last two lines of a search , so in this search if in fields (Status, timeval, CompanyCode, CN) there is no values or the all the fields are empty then i have to display a message which in this case is "thats not cool"
, it is working but in the result as you can see all the empty fields are also displaying in the result . But I want only the error field if other fields are empty. Can anyone help?

Re: splunk

glc_slash_it — Wed, 13 Dec 2023 13:54:49 GMT

Hi,

I think you could use something like this instead:

https://community.splunk.com/t5/Splunk-Search/Removing-all-null-columns-from-stats-table/m-p/566579

------------
If this was helpful, some karma would be appreciated.

Re: splunk

Siddharthnegi — Wed, 13 Dec 2023 16:40:07 GMT

Thanks for the reply but my problem is little different my search has table command before using appendpipe for displaying scustom message , and now the problem is if table is empty it should display only custom message but it is showing empty table plus the message like image below.

Re: splunk

isoutamo — Wed, 13 Dec 2023 16:56:21 GMT

Why you cannot/don't want to use @glc_slash_it & @PickleRick answer? At least with test data it seems to work. You could test it like

r. Ismo

Re: splunk

bowesmana — Wed, 13 Dec 2023 22:09:29 GMT

You can use the @PickleRick solution just by adding his code after your appendpipe, but if you normally have a LOT of rows then the transpose and row processing may be very quite heavy.

There is an alternate solution, not sure how this will perform with a large result set and how it differs to the other one.

your base search with results... | appendpipe [ | stats count | where count=0 | eval error="None" | fields - count ] ``` Rename all fields to X_* ``` | rename * as X_* ``` Now move those fields to the real name if it's not null ``` | foreach X_* [ eval "<<MATCHSTR>>"=if(isnull(<<FIELD>>), null(), <<FIELD>>) ] ``` and remove all the original X_ fields, so that non-null fields remain ``` | fields - X_*

With Splunk there is often more than one way to solve a problem 😁

Re: splunk

Siddharthnegi — Thu, 14 Dec 2023 05:37:05 GMT

just a small question what will come in <<FIELD>> ?

Re: splunk

bowesmana — Thu, 14 Dec 2023 06:15:48 GMT

Check out the docs for foreach

https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/foreach

The <<FIELD>> template is replaced with the value of the field being iterated through. In your context, it is the value of the row* field being evaluated.

Re: splunk

Siddharthnegi — Thu, 14 Dec 2023 11:22:38 GMT

thanks this solution is working for some test cases.
in other test case

like in this one count field is zero , so i want custom message if count field is zero , any suggestions.