Hi all,
I'm going crazy with a table in Splunk.
What I'm trying to do is to dynamically create a table based on non null fields in my events.
I'm using a Simple XML dashboard.
This is the environment:
Event1: _time fieldA=<valueA> fieldB=<valueB> fieldC=<valueC> fieldD=<valueD> fieldE=<valueE>
Event2: _time fieldA=<valueA> fieldB=<valueB> fieldC=<valueC> fieldF=<valueF> fieldG=<valueG>
Event3: ...
If I use a search string like this
index=<my_index> fieldD=<valueD> | table *
The generated table appears like
_time fieldA fieldB fieldC fieldD fieldE fieldF fieldG
<time> <valueA> <valueB> <valueC> <valueD> <valueE>
Why does Splunk show the empty columns too?
How can I change my search to solve this issue?
Maybe it seems an easy thing but I'm not finding a solution.
Help me please! 🙂
@djluke
add this query end of your query .
| streamstats count as temp_count
| stats values(*) as * by temp_count
| fields - temp_count
With a search such as ……. ….|table *** If you desire for exemle to remove a Colum on the displayed result, you can transform your search to **...|table * |fields – fieldName where fieldName is the field you don’t want to display.
You can do it for many fields at once like this ….|table * |fields – fieldName1, fieldName2,…
This is an exemple that display all fields except the fields host an index
index=* |table *|fields - host ,index
Thanks for your answer.
I already knew there was the possibility to "filter" results using the fields command, but my question was related to the results shown by "table" command.
I can't predict which columns will be empty or filled before launching the search function. I'd like splunk to show me only NOT NULL columns.
Is it possible?
Thanks
Hi,
I am also facing this issue of displaying only NOT NULL columns. in splunk table.
Can someone help in this?
thanks