Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to make a table containing columns with non-empty values (or other criteria) from non-indexed data?

halr9000
Motivator
‎10-29-2014 01:00 PM

I'm doing this REST call to query the system for modular inputs:

| rest /services/data/modular-inputs | table title description

Before running this through the table command, the output was extremely wide because of the way this particular data has fields broken out. My ideal end goal is something like "make me a table of arbitrary REST command output but only include fields which are in every event". I started thinking how to do this with the metadata command when I realized that there is no index metadata to query as this data isn't indexed. Now, I'm out of ideas. TIA

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-29-2014 01:57 PM

One more workaround

| rest /services/data/modular-inputs  | table [| rest /services/data/modular-inputs | fieldsummary  maxvals=1| eventstats max(count) as max | where count=max | table field | eval field=field."," | mvcombine field | nomv field | rename field as search]

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-29-2014 01:57 PM

One more workaround

| rest /services/data/modular-inputs  | table [| rest /services/data/modular-inputs | fieldsummary  maxvals=1| eventstats max(count) as max | where count=max | table field | eval field=field."," | mvcombine field | nomv field | rename field as search]
Reply
Solved! Jump to solution

halr9000
Motivator
‎10-30-2014 02:08 PM

I like this version. It comes out close to 50% faster in my slightly-scientific tests. Thanks!

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-29-2014 01:40 PM

Mildly hacky, but it works:

| rest /services/data/modular-inputs | fillnull value="§%&$&ZH$%%" | untable id field value | eventstats count(eval(isnull(value) OR trim(value)="" OR value="§%&$&ZH$%%")) as nulls by field | where nulls=0 | xyseries id field value
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎10-29-2014 01:58 PM

Nice one!!

Reply
Solved! Jump to solution

halr9000
Motivator
‎10-29-2014 02:23 PM

Not sure which to pick! 🙂

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-29-2014 02:38 PM

The one that doesn't need to cheat with a subsearch of course 😛

Reply
Solved! Jump to solution

halr9000
Motivator
‎10-30-2014 02:09 PM

I gave ya points. 🙂

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...