Splunk Search

How to remove all null fields to prevent gaps in my table of results?

gracemaher
Explorer

Hi there,
I have a table with four fields inputted, but the issue is that some are blank in some of the events so it has huge gaps!
Is there a way to remove all null fields?

Thanks.

Tags (3)
1 Solution

rnotch
Explorer

What worked for me was something like this:

index=yourindex sourcetype=yoursourcetype | rex [if you are using rex to extract fields, it goes before fix. If not, you can skip this] | search fieldname1=* OR fieldname2=* OR fieldname3=* OR fieldname4=* | stats [or whatever table you are using]

What's happening here is it searches only field names that have a result (the * does not include nulls), and by using "OR" you make sure that if any result is in any of the four fields, that row stays in. This fix might not work well for 50 fields, but it is nice for a few.

View solution in original post

rnotch
Explorer

What worked for me was something like this:

index=yourindex sourcetype=yoursourcetype | rex [if you are using rex to extract fields, it goes before fix. If not, you can skip this] | search fieldname1=* OR fieldname2=* OR fieldname3=* OR fieldname4=* | stats [or whatever table you are using]

What's happening here is it searches only field names that have a result (the * does not include nulls), and by using "OR" you make sure that if any result is in any of the four fields, that row stays in. This fix might not work well for 50 fields, but it is nice for a few.

deepak_acalvio
Explorer

This is the correct answer, worked for me. Thanks for explaining about using OR as well.

masonmorales
Influencer
yoursearch | fillnull value="NULL" | search NOT NULL

gracemaher
Explorer

Same again, doesnt change anything in the table. 😞

0 Karma

masonmorales
Influencer

Sorry to hear that. Can you post the search you are using to create the table and some sample data please?

0 Karma

gracemaher
Explorer

Its ok, thank you for your help. had to do it via props.conf 🙂

0 Karma

MMCC
Path Finder

Thanks guys this lead me to the my solution. I added a where clause at the end. Currently we have some issues with the network trying to evaluate if there are peaks when the issues occur with tracert
index=main
| eval rtt1_ms=trim(RTT1, " ms")
| eval rtt2_ms=trim(RTT2, " ms")
| eval rtt3_ms=trim(RTT3, " ms")
| table timestamp, HopNr, rtt1_ms, rtt2_ms, rtt3_ms, IP | addtotals fieldname=totalDuration rtt*_ms
| sort timestamp
| fillnull value="NULL"
| where HopNr!="NULL"

0 Karma

stephanefotso
Motivator

Hello! Here is one option: Just say donot display null events where field=blank. ...|where field!=" "

index=_internal sourcetype=*|stats count by sourcetype|where  sourcetype!= " "

Thanks

SGF

fjordz
New Member

...|where field!=" " is the one that I'm looking for to delete a value that I don't need in a field. But how about if I have multiple values to delete? How do I do that?

For example:

...| where src!= "N/A" --> removes N/A values

I also want to remove all internal IP addresses under this field. I would like to filter it out by using 10.* but how do I include that in the syntax? Thanks!

0 Karma

gracemaher
Explorer

Hey Stephanefotso - this doesnt really seem to do anything for me lol...

0 Karma

stephanefotso
Motivator

Lets get your search query please.

SGF
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...