Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to remove columns from search results when they are empty?

JoshuaJohn
Contributor
‎08-17-2016 01:45 PM

I am trying to remove columns from my search when they return null. Previously, my entire panel would just result with "no results found", but I wanted to display something here instead of that message, so I appended a column, but when I tried to use fields - (column names), nothing really happened.

Here is my search:

index="nitro_prod_summary" earliest=-1h@m latest=@m [| `nitro_prod_cmdb` | search Category="merch" Service="*" Application="*" | search Application!="LOD" | stats count by Application | table Application] | join Application [ | `nitro_prod_cmdb` ] | search Alert_Type="*" Metric_Category="*" | eval FilterKey=Description.ID | dedup FilterKey |search Category!="FINANCE" | table Alert_Type Category Service Application Metric_Category Description Key ID | rename Metric_Category as "Type" Alert_Type as "Alert" count as Count | sort +Alert | appendpipe  [stats  count | eval  "Active Alerts"="None" | where  count==0 | fields  - count]

I tried:
fields - count, Alert_Type, Category, Service, Application, Metric_Category, Description, Key, ID
fields - count Alert_Type Category Service Application Metric_Category Description Key ID
fields -

Any Ideas?

0 Karma
Reply

somesoni2
Revered Legend
‎08-17-2016 01:59 PM

Try this

...your search till appendpipe...| appendpipe  [stats  count | eval  "Active Alerts"="None" | where  count=0 | table "Active Alerts"]
0 Karma
Reply

JoshuaJohn
Contributor
‎08-18-2016 12:36 PM

Unfortunately this did not work.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...