Solved: Re: Exclude empty fields from search

plcd63 · ‎01-17-2022

Dear Splunk Community,

I'm trying to extract a list of changed fields, but they should only be listed if they have a value.

<mysearch> | eval _raw="DeviceName:" . host ."
" . if(len(srcaddr)>0,"PolicySrc:" . srcaddr,"") ."
" . if(len(dstaddr)>0,"PolicyDst:" . dstaddr,"") ."
" . if(len(service)>0,"PolicySvc:" . service,"") ."

With len>0 I managed to hide the fields that have not changed, but in the results they are still there as a line break, e.g.

DeviceName: test

PolicyDst: dest1
PolicySvc svc1

How can I get rid of these line break(s)?

ITWhisperer · ‎01-17-2022

Does this work for you?

<mysearch> | eval _raw="DeviceName:" . host . if(len(srcaddr)>0,"
PolicySrc:" . srcaddr,"") . if(len(dstaddr)>0,"
PolicyDst:" . dstaddr,"") . if(len(service)>0,"
PolicySvc:" . service,"")

View solution in original post

richgalloway · ‎01-17-2022

The eval command as written will insert a newline regardless of the value of len. I suggest removing blank lines afterwards.

<mysearch> | eval _raw="DeviceName:" . host ."
" . if(len(srcaddr)>0,"PolicySrc:" . srcaddr,"") ."
" . if(len(dstaddr)>0,"PolicyDst:" . dstaddr,"") ."
" . if(len(service)>0,"PolicySvc:" . service,"") ."
```Remove blank lines```
| rex mode=sed "s/\n\n/\n/g"

---
If this reply helps you, Karma would be appreciated.

plcd63 · ‎01-17-2022

This also works. Many thanks!

ITWhisperer · ‎01-17-2022

Does this work for you?

<mysearch> | eval _raw="DeviceName:" . host . if(len(srcaddr)>0,"
PolicySrc:" . srcaddr,"") . if(len(dstaddr)>0,"
PolicyDst:" . dstaddr,"") . if(len(service)>0,"
PolicySvc:" . service,"")

plcd63 · ‎01-17-2022

Thank you :)!

Exclude empty fields from search

eval

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies