How to remove columns from search results when the...

JoshuaJohn · ‎08-17-2016

I am trying to remove columns from my search when they return null. Previously, my entire panel would just result with "no results found", but I wanted to display something here instead of that message, so I appended a column, but when I tried to use fields - (column names), nothing really happened.

Here is my search:

index="nitro_prod_summary" earliest=-1h@m latest=@m [| `nitro_prod_cmdb` | search Category="merch" Service="*" Application="*" | search Application!="LOD" | stats count by Application | table Application] | join Application [ | `nitro_prod_cmdb` ] | search Alert_Type="*" Metric_Category="*" | eval FilterKey=Description.ID | dedup FilterKey |search Category!="FINANCE" | table Alert_Type Category Service Application Metric_Category Description Key ID | rename Metric_Category as "Type" Alert_Type as "Alert" count as Count | sort +Alert | appendpipe  [stats  count | eval  "Active Alerts"="None" | where  count==0 | fields  - count]

I tried:
fields - count, Alert_Type, Category, Service, Application, Metric_Category, Description, Key, ID
fields - count Alert_Type Category Service Application Metric_Category Description Key ID
fields -

Any Ideas?

somesoni2 · ‎08-17-2016

Try this

...your search till appendpipe...| appendpipe  [stats  count | eval  "Active Alerts"="None" | where  count=0 | table "Active Alerts"]

JoshuaJohn · ‎08-18-2016

Unfortunately this did not work.

How to remove columns from search results when they are empty?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

Are you a member of the Splunk Community?

How to remove columns from search results when they are empty?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk