https://community.splunk.com/t5/Splunk-Search/How-do-I-Exclude-null-empty-fields-from-a-lookup-result-where-I/m-p/709376#M239743 <P>We have a lookup that has all kinds of domain (DNS) information in it with about&nbsp; 60 fields like create date, ASN, name server IP,&nbsp; MX IP, many of which are usually populated. But there are several fields which have no data - 10 to 20 on any given search (assuming that they are 'null'). The empty fields are likely to vary on each search. In other words some domains will have an MX record, some will not, but if they are in this lookup, they will always have a create-date.&nbsp;</P><P>I am presenting this data on a domain lookup dashboard, using "|transpose" so that you have a table with the field name and value on a dashboard. I would like to just show a field and a value where this is returned data and filter out or not show a field which is null. Is there a way to do this?</P> Tue, 21 Jan 2025 21:22:25 GMT donm 2025-01-21T21:22:25Z https://community.splunk.com/t5/Splunk-Search/How-do-I-Exclude-null-empty-fields-from-a-lookup-result-where-I/m-p/709376#M239743 <P>We have a lookup that has all kinds of domain (DNS) information in it with about&nbsp; 60 fields like create date, ASN, name server IP,&nbsp; MX IP, many of which are usually populated. But there are several fields which have no data - 10 to 20 on any given search (assuming that they are 'null'). The empty fields are likely to vary on each search. In other words some domains will have an MX record, some will not, but if they are in this lookup, they will always have a create-date.&nbsp;</P><P>I am presenting this data on a domain lookup dashboard, using "|transpose" so that you have a table with the field name and value on a dashboard. I would like to just show a field and a value where this is returned data and filter out or not show a field which is null. Is there a way to do this?</P> Tue, 21 Jan 2025 21:22:25 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-Exclude-null-empty-fields-from-a-lookup-result-where-I/m-p/709376#M239743 donm 2025-01-21T21:22:25Z https://community.splunk.com/t5/Splunk-Search/How-do-I-Exclude-null-empty-fields-from-a-lookup-result-where-I/m-p/709385#M239747 <P>Not sure if I fully understand the requirement. &nbsp;But in general, you can assign a non-null string to those fields. &nbsp;For example,</P><LI-CODE lang="markup">| eval MX = coalesce(MX, "MX is null")</LI-CODE><P>The issue, I suspect, is when you transpose, all those values representing null will collapse and skew format. &nbsp;Is this the problem? &nbsp;If so, &nbsp;you can force these values to be different, e.g.,</P><LI-CODE lang="markup">| eval MX = coalesce(MX, "MX is null for " . FQDN)</LI-CODE><P>Hope. this helps.</P> Wed, 22 Jan 2025 01:02:13 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-Exclude-null-empty-fields-from-a-lookup-result-where-I/m-p/709385#M239747 yuanliu 2025-01-22T01:02:13Z https://community.splunk.com/t5/Splunk-Search/How-do-I-Exclude-null-empty-fields-from-a-lookup-result-where-I/m-p/709456#M239786 <P>Hi - thanks for the idea, Sure, I could build that into the search, true.</P><P>On the output dashboard what you end up with is "1 2 3 next..." on the bottom right, so you need to click through to see all possible values from the lookup that we have on hand. Often enugh there are 4-6 rows of empty fields in the result set, because the data is transpose'd. I'm looking to make the returned data more compact, if you will.&nbsp;</P> Wed, 22 Jan 2025 14:14:05 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-Exclude-null-empty-fields-from-a-lookup-result-where-I/m-p/709456#M239786 donm 2025-01-22T14:14:05Z https://community.splunk.com/t5/Splunk-Search/How-do-I-Exclude-null-empty-fields-from-a-lookup-result-where-I/m-p/709465#M239791 <P>If I understand you correctly you want to remove all-empty columns from your original data, right?</P><PRE>&lt;your_search&gt;<BR />| transpose 0 include_empty=f</PRE><P>&nbsp;</P> Wed, 22 Jan 2025 14:53:28 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-Exclude-null-empty-fields-from-a-lookup-result-where-I/m-p/709465#M239791 PickleRick 2025-01-22T14:53:28Z