https://community.splunk.com/t5/Splunk-Search/How-to-display-only-column-s-that-has-value-greater-than-0/m-p/328626#M97820 <P>Try add this to your base search</P> <P>| transpose<BR /> | addtotals<BR /> | search Total&gt;0<BR /> | fields- Total<BR /> | transpose header_field=column<BR /> | fields - column</P> Thu, 12 Apr 2018 12:36:17 GMT HeinzWaescher 2018-04-12T12:36:17Z https://community.splunk.com/t5/Splunk-Search/How-to-display-only-column-s-that-has-value-greater-than-0/m-p/328622#M97816 <P>Hi all,<BR /> I have table looks like this</P> <P>Column1,Column2,Column3,....,ColumnX<BR /> 1,2,0,....5<BR /> 1,0,5,....3<BR /> 2,3,0,....0</P> <P>Sometimes, depending on the search duration, the result could look like this</P> <P>Column1,Column2,Column3,....,ColumnX<BR /> 1,0,0,....3<BR /> 2,0,0,....0<BR /> 3,0,0,....3</P> <P>I want to filter the column(s) that has only value "0" inside, so result will only show:<BR /> Column1,....ColumnX<BR /> 1,....3<BR /> 2,....0<BR /> 3,....3</P> <P>Is it possible?</P> <P>Thanks</P> Thu, 12 Apr 2018 05:22:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-only-column-s-that-has-value-greater-than-0/m-p/328622#M97816 Cbr1sg 2018-04-12T05:22:24Z https://community.splunk.com/t5/Splunk-Search/How-to-display-only-column-s-that-has-value-greater-than-0/m-p/328623#M97817 <P>why is <CODE>Column 1</CODE> in the final result? There is no <EM>0</EM> in the column. </P> Thu, 12 Apr 2018 11:42:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-only-column-s-that-has-value-greater-than-0/m-p/328623#M97817 cmerriman 2018-04-12T11:42:14Z https://community.splunk.com/t5/Splunk-Search/How-to-display-only-column-s-that-has-value-greater-than-0/m-p/328624#M97818 <P>And to be clear - you want to remove columnX for displaying if ALL columnX are zero, but display that column if <EM>any</EM> value in it is non-zero?</P> <P>E.g.</P> <PRE><CODE>1, 4, 0, 0 5, 0, 0, 4 2, 1, 0, 9 4, 0, 0, 0 0, 0, 0, 0 </CODE></PRE> <P>In that case, all 5 rows display, and columns 1, 2 and 4 are the only ones showing? is that right?</P> <P>And did you <EM>specifically</EM> want a dot in the column, or how do you want to display it? Not at all? like...<BR /> 1, 4, 0<BR /> 5, 0, 4<BR /> 2, 1, 9<BR /> 4, 0, 0<BR /> 0, 0, 0<BR /> (With column headers?)</P> Thu, 12 Apr 2018 11:48:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-only-column-s-that-has-value-greater-than-0/m-p/328624#M97818 Richfez 2018-04-12T11:48:48Z https://community.splunk.com/t5/Splunk-Search/How-to-display-only-column-s-that-has-value-greater-than-0/m-p/328625#M97819 <P>You could use the transpose command to remove columns with only zeros:<BR /> (Append to your search)</P> <PRE><CODE> | transpose | eval total=0 | foreach row* [eval total=total + '&lt;&lt;FIELD&gt;&gt;'] | where total &gt; 0 |fields - total | transpose header_field=column | fields - column </CODE></PRE> Thu, 12 Apr 2018 12:31:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-only-column-s-that-has-value-greater-than-0/m-p/328625#M97819 damien_chillet 2018-04-12T12:31:34Z https://community.splunk.com/t5/Splunk-Search/How-to-display-only-column-s-that-has-value-greater-than-0/m-p/328626#M97820 <P>Try add this to your base search</P> <P>| transpose<BR /> | addtotals<BR /> | search Total&gt;0<BR /> | fields- Total<BR /> | transpose header_field=column<BR /> | fields - column</P> Thu, 12 Apr 2018 12:36:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-only-column-s-that-has-value-greater-than-0/m-p/328626#M97820 HeinzWaescher 2018-04-12T12:36:17Z https://community.splunk.com/t5/Splunk-Search/How-to-display-only-column-s-that-has-value-greater-than-0/m-p/328627#M97821 <P>works perfectly as expected. Thank you very much!</P> Fri, 13 Apr 2018 01:57:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-only-column-s-that-has-value-greater-than-0/m-p/328627#M97821 Cbr1sg 2018-04-13T01:57:39Z https://community.splunk.com/t5/Splunk-Search/How-to-display-only-column-s-that-has-value-greater-than-0/m-p/328628#M97822 <P>The solution by HeinzWaescher is shorter and it's not allowed to accept more than 1 answer, but this works as well. Thank you very much!</P> Fri, 13 Apr 2018 01:59:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-only-column-s-that-has-value-greater-than-0/m-p/328628#M97822 Cbr1sg 2018-04-13T01:59:19Z https://community.splunk.com/t5/Splunk-Search/How-to-display-only-column-s-that-has-value-greater-than-0/m-p/328629#M97823 <P>because Column1 doesn't has only value "0" inside.<BR /> Column2 and 3 are filtered because all of the values inside those 2 columns are "0"</P> Fri, 13 Apr 2018 02:00:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-only-column-s-that-has-value-greater-than-0/m-p/328629#M97823 Cbr1sg 2018-04-13T02:00:57Z https://community.splunk.com/t5/Splunk-Search/How-to-display-only-column-s-that-has-value-greater-than-0/m-p/328630#M97824 <P>Yes, you got my question correctly. The dot is just a way to tell that there are more than 3 columns (could be 4, 5 or 20) in the table.<BR /> Yes, the column header needs to be retained at the final result.</P> Fri, 13 Apr 2018 02:03:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-only-column-s-that-has-value-greater-than-0/m-p/328630#M97824 Cbr1sg 2018-04-13T02:03:27Z https://community.splunk.com/t5/Splunk-Search/How-to-display-only-column-s-that-has-value-greater-than-0/m-p/328631#M97825 <P>Yup I've made it a bit over complicated <span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:">😄</span></P> Fri, 13 Apr 2018 10:38:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-only-column-s-that-has-value-greater-than-0/m-p/328631#M97825 damien_chillet 2018-04-13T10:38:28Z