- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to hide a column in a table if every value...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to hide a column in a table if every value in that column is null?
How can I hide/not display a column in a table if every value in that column is null? Sometimes the column will have values. Splunk does a weird table width vs. Length of column values so I'm trying to save space and decrease horizontal scrolling if I can.
Stats count by foo, boo, bar
Foo, boo, bar
123,456,null
123,890,null
Only want to see
Foo, boo
123,456
123,890
if bar is always null
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try appending this at the end of your search:
...your search | streamstats count as serial | stats values(*) as * by serial | fields - serial
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
your search | streamstats count as serial | stats values(*) as * by serial | fields - serial
Could you please explain how this command helps to hid columns which has null values in Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Appending the transpose command two times will help you out.
I am referring to this answer in a similar thread:
https://answers.splunk.com/answers/241186/removing-null-columns-from-a-table.html#answer-593190
Simply add:
| transpose 0
| transpose 0 header_field=column
| fields - column
//
Some further notes:
- Why it works: When transposing a table, Splunk automatically removes every resulting empty row (= previously empty column).
- The 0option makes sure that every row and every column gets transposed.
- The only downside: The transpose command is pretty time-consuming. Use it carefully.
- For further info in Splunk Doku: https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Transpose
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this
base query....|fields - bar
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the reply, but that's not quite what I'm asking. I know you can explicitly exclude fields in a search's output via the fields command.
What I'm looking for is conditionally not showing a field if all the field's values are null, otherwise show the field
index=myindex xyz=abc | if (values(whatever_field) = null) then (table foo_field, bar_field) ELSE (table foo_field, bar_field, whatever_field))
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
