Solved: Remove column from table if

matthaeus · ‎08-04-2020

Hey there!

I'm quite new in Splunk an am struggeling again. What I'm trying to do is to hide a column if every field in that column has a certain value. I've already searched a lot online and found several solutions, that should work for me but don't.

Can anybody help me out here?

to4kawa · ‎08-04-2020

sample:

| makeresults
| eval _raw="unit,col1,col2,col3,col4,col5
a,-1,-2,-1,-1,-1
b,-1,-2,-2,-1,0
c,0,-2,0,-2,-2
d,-2,-2,0,-2,0"
| multikv forceheader=1
| table unit,col1,col2,col3,col4,col5
| untable unit cols value
| eventstats dc(value) as check1 by cols
| where !(check1=1 AND value=-2)
| xyseries unit cols value

View solution in original post

to4kawa · ‎08-04-2020

sample:

| makeresults
| eval _raw="unit,col1,col2,col3,col4,col5
a,-1,-2,-1,-1,-1
b,-1,-2,-2,-1,0
c,0,-2,0,-2,-2
d,-2,-2,0,-2,0"
| multikv forceheader=1
| table unit,col1,col2,col3,col4,col5
| untable unit cols value
| eventstats dc(value) as check1 by cols
| where !(check1=1 AND value=-2)
| xyseries unit cols value

matthaeus · ‎08-04-2020

Works perfectly, thanks so much!

thambisetty · ‎08-04-2020

@to4kawa answer works only for the data you posted, what if the values gets changed , lets say -2 becomes -3, every time you can't hardcode the value if you don't know the value exactly.

————————————
If this helps, give a like below.

thambisetty · ‎08-04-2020

can you share some examples?

————————————
If this helps, give a like below.

matthaeus · ‎08-04-2020

So I have Data like this:

	col1	col2	col3	col4	col5
a	-1	-2	-1	-1	-1
b	-1	-2	-2	-1	0
c	0	-2	0	-2	-2
d	-2	-2	0	-2	0

And what I want is, that column2 will not be displayed since all values in that column are "-2".

thambisetty · ‎08-04-2020

I am using inputcsv and outputcsv.

if you run below search that contains field town has same value.

| makeresults 
| eval state="AndhraPradesh,Karnataka,Tamilnadu" 
| makemv state delim="," 
| mvexpand state 
| table state 
| eval city=case(state="AndhraPradesh","Nellore,Vijayawada,Vizag",state="Karnataka","Bengaluru,Mysore",state="Tamilnadu","chennai") 
| makemv city delim="," 
| mvexpand city
| eval town="certain value"

and I have written these results to csv to make use of them in search which is used in fields command. The subsearch will take fields which have different values.

| makeresults 
| eval state="AndhraPradesh,Karnataka,Tamilnadu" 
| makemv state delim="," 
| mvexpand state 
| table state 
| eval city=case(state="AndhraPradesh","Nellore,Vijayawada,Vizag",state="Karnataka","Bengaluru,Mysore",state="Tamilnadu","chennai") 
| makemv city delim="," 
| mvexpand city
| eval town="certain value"
| outputcsv test.csv 
| fields [| inputcsv test.csv | stats dc(*) as * | transpose | where 'row 1' > 1 | table column | stats values(column) as search delim="," | table search]

————————————
If this helps, give a like below.

Remove column from table if

table

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms