Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to remove all null fields to prevent gaps in my table of results?

gracemaher
Explorer
‎06-12-2015 06:53 AM

Hi there,
I have a table with four fields inputted, but the issue is that some are blank in some of the events so it has huge gaps!
Is there a way to remove all null fields?

Thanks.

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

rnotch
Explorer
‎12-18-2017 01:51 PM

What worked for me was something like this:

index=yourindex sourcetype=yoursourcetype | rex [if you are using rex to extract fields, it goes before fix. If not, you can skip this] | search fieldname1=* OR fieldname2=* OR fieldname3=* OR fieldname4=* | stats [or whatever table you are using]

What's happening here is it searches only field names that have a result (the * does not include nulls), and by using "OR" you make sure that if any result is in any of the four fields, that row stays in. This fix might not work well for 50 fields, but it is nice for a few.

View solution in original post

Reply
Solved! Jump to solution
Solution

rnotch
Explorer
‎12-18-2017 01:51 PM

What worked for me was something like this:

index=yourindex sourcetype=yoursourcetype | rex [if you are using rex to extract fields, it goes before fix. If not, you can skip this] | search fieldname1=* OR fieldname2=* OR fieldname3=* OR fieldname4=* | stats [or whatever table you are using]

What's happening here is it searches only field names that have a result (the * does not include nulls), and by using "OR" you make sure that if any result is in any of the four fields, that row stays in. This fix might not work well for 50 fields, but it is nice for a few.

Reply
Solved! Jump to solution

deepak_acalvio
Explorer
‎02-08-2018 11:48 PM

This is the correct answer, worked for me. Thanks for explaining about using OR as well.

Reply
Solved! Jump to solution

masonmorales
Influencer
‎06-12-2015 07:54 AM 
yoursearch | fillnull value="NULL" | search NOT NULL
Reply
Solved! Jump to solution

gracemaher
Explorer
‎06-12-2015 07:56 AM

Same again, doesnt change anything in the table. 😞

0 Karma
Reply
Solved! Jump to solution

masonmorales
Influencer
‎06-12-2015 07:58 AM

Sorry to hear that. Can you post the search you are using to create the table and some sample data please?

0 Karma
Reply
Solved! Jump to solution

gracemaher
Explorer
‎06-12-2015 09:23 AM

Its ok, thank you for your help. had to do it via props.conf 🙂

0 Karma
Reply
Solved! Jump to solution

MMCC
Path Finder
‎02-06-2018 02:00 AM

Thanks guys this lead me to the my solution. I added a where clause at the end. Currently we have some issues with the network trying to evaluate if there are peaks when the issues occur with tracert
index=main
| eval rtt1_ms=trim(RTT1, " ms")
| eval rtt2_ms=trim(RTT2, " ms")
| eval rtt3_ms=trim(RTT3, " ms")
| table timestamp, HopNr, rtt1_ms, rtt2_ms, rtt3_ms, IP | addtotals fieldname=totalDuration rtt*_ms
| sort timestamp
| fillnull value="NULL"
| where HopNr!="NULL"

0 Karma
Reply
Solved! Jump to solution

stephanefotso
Motivator
‎06-12-2015 07:29 AM

Hello! Here is one option: Just say donot display null events where field=blank. ...|where field!=" "

index=_internal sourcetype=*|stats count by sourcetype|where  sourcetype!= " "

Thanks

SGF
Reply
Solved! Jump to solution

fjordz
New Member
‎02-07-2017 06:03 PM

...|where field!=" " is the one that I'm looking for to delete a value that I don't need in a field. But how about if I have multiple values to delete? How do I do that?

For example:

...| where src!= "N/A" --> removes N/A values

I also want to remove all internal IP addresses under this field. I would like to filter it out by using 10.* but how do I include that in the syntax? Thanks!

0 Karma
Reply
Solved! Jump to solution

gracemaher
Explorer
‎06-12-2015 07:52 AM

Hey Stephanefotso - this doesnt really seem to do anything for me lol...

0 Karma
Reply
Solved! Jump to solution

stephanefotso
Motivator
‎06-12-2015 08:22 AM

Lets get your search query please.

SGF
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Word Search

This challenge was first posted on Slack #puzzles channelThis puzzle is based on a letter grid containing ...

[Puzzles] Solve, Learn, Repeat: Advent of Code - Day 4

Advent of CodeIn order to participate in these challenges, you will need to register with the Advent of Code ...

GA: S3 Promote for Historical Data Ingestion in Splunk Cloud

Ingest Historical S3 Data On-Demand: Announcing the General Availability of S3 Promote We’re excited to share ...