Re: How to remove fields dynamically from a searc...

DiegoAlba · ‎04-17-2018

Hello, everyone, I hope you can help me.
My table seems like this:

Name    January February    March   April   May 
Security    8          6                    5           7       
Data    66        77                    86          88      
Logs    76        56                    45          83

I want to remove May dynamically because May hasn’t already happened
I want to remove the May column dynamically so the “field ” (fields - May) function doesn’t work because it is not dynamic. May is going to happen, what I tried to do and I was looking for is a function to do this.
If a column is null (no data) remove from the table

Can someone of you help me to solve this?

TISKAR · ‎04-18-2018

Hello,

Mr @DiegoAlba, And if you try this,

index=_internal 
| eval date_month=strftime(_time,"%Y-%m-%B")
| chart count by  date_month log_level 
| eval date_month=substr(date_month,9)
| transpose header_field=date_month column_name=log_level

This proposition can sorte the header colulmn ans eleminate the null value

You can juste copied and past this solution, if you have any problème comment this response please

Regards

nryabykh · ‎04-17-2018

You can try this:

% your search %
| fields Name 
    [| gentimes start=01/01/18 increment=1d 
    | eval month=strftime(starttime, "%B") 
    | dedup month 
    | stats list(month) as months 
    | nomv months
    | return $months]

But I believe, it's better to remove "May" somewhere before in your search, for example, by checking for nulls or something like that.

DalJeanis · ‎04-17-2018

That looks like the output of a chart command. The manipulation you are trying to do should PROBABLY be done BEFORE running the chart command.

If you post the actual search code, then we can help you do that.

Otherwise, the dynamic presentation of columns with English month names suffers from the problem that @cmerriman noted - they will not sort into the correct order. If you initially created the months as "2018_01 Jan", for example, you could then sort them back and if desired, reformat them back after sorting.

cmerriman · ‎04-17-2018

if the entire column is null, you could just do a |stats values(*) as * by Name and it'll only do the values for the fields with data. The only problem is that it will resort it alphanumerically. i'm not sure what the entire search/data looks like, but if you could have the months preceeding with 01-January, for instance, that would sort it properly, and then you could do a rename command in the end to remove the 01- if necessary.

DiegoAlba · ‎04-18-2018

Hey thank you so much,!

I had the problem you talk about resorting alphanumerically, so i put 01-January as you mentioned

Thanks ;D

somesoni2 · ‎04-17-2018

How are you getting the columns names for months? Are you doing some sort of Year to date report?

DiegoAlba · ‎04-18-2018

i made a chart couting by month, then i renamed them all but i had some problems of sorting so i had to put numbers.

niketn · ‎04-17-2018

@DiegoAlba is this for a report or dashboard? Would it be possible for you to share your query?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

DiegoAlba · ‎04-18-2018

Thats for a report,, after exclude the column then i had some problems of sorting so i had to renama my columns as 01-january and so on...

than you so much Niketnilay ;D

How to remove fields dynamically from a search in Search Log Processing?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?