Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to remove empty fields?

Siddharthnegi
Contributor
‎12-13-2023 01:42 AM

| table Status, timeval, CompanyCode, CN
|appendpipe [stats count| eval error="thats not cool" | where count==0 |table error |fields - Status, timeval, CompanyCode, CN]

these are the last two lines of a search , so in this search if in fields (Status, timeval, CompanyCode, CN) there is no values or the all the fields are empty then i have to display a message which in this case is "thats not cool"
, it is working but in the result as you can see all the empty fields are also displaying in the result . But I want only the error field if other fields are empty. Can anyone help?

Siddharthnegi_0-1702460432617.png

 

0 Karma
Reply

glc_slash_it
Path Finder
‎12-13-2023 05:54 AM

Hi,

I think you could use something like this instead:

https://community.splunk.com/t5/Splunk-Search/Removing-all-null-columns-from-stats-table/m-p/566579

 

------------
If this was helpful, some karma would be appreciated.

Reply

Siddharthnegi
Contributor
‎12-13-2023 08:40 AM


Thanks for the reply but my problem is little different my search has table command before using appendpipe for displaying scustom message , and now the problem is if table is empty it should display only custom message but it is showing empty table plus the message  like image below. 


Siddharthnegi_0-1702485565674.png

 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎12-13-2023 02:09 PM

You can use the @PickleRick solution just by adding his code after your appendpipe, but if you normally have a LOT of rows then the transpose and row processing may be very quite heavy.

There is an alternate solution, not sure how this will perform with a large result set and how it differs to the other one.

your base search with results...
| appendpipe [
 | stats count | where count=0
 | eval error="None"
 | fields - count
 ]
``` Rename all fields to X_* ```
| rename * as X_*
``` Now move those fields to the real name if it's not null ```
| foreach X_* [ eval "<<MATCHSTR>>"=if(isnull(<<FIELD>>), null(), <<FIELD>>) ]
``` and remove all the original X_ fields, so that non-null fields remain ```
| fields - X_*

With Splunk there is often more than one way to solve a problem 😁

Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-13-2023 08:56 AM

Hi

Why you cannot/don't want to use @glc_slash_it & @PickleRick answer? At least with test data it seems to work. You could test it like 

<your basesearch OR | makeresults>
| table Status, timeval, CompanyCode, CN 
| appendpipe 
    [ stats count 
    | eval error="thats not cool" 
    | where count==0 
    | table error 
    | fields - Status, timeval, CompanyCode, CN] 
| transpose 0 
| eval allnulls=1 
| foreach row* 
    [ eval allnulls=if(isnull('<<FIELD>>'),allnulls,0) ] 
| where allnulls=0 
| fields - allnulls 
| transpose 0 header_field=column 
| fields - column

r. Ismo 

Reply

Siddharthnegi
Contributor
‎12-14-2023 03:22 AM

thanks this solution is working for some test cases.
in other test case

Siddharthnegi_0-1702552868954.png

like in this one count field is zero , so i want custom message if count field is zero , any suggestions.

0 Karma
Reply

Siddharthnegi
Contributor
‎12-13-2023 09:37 PM

just a small question what will come in <<FIELD>> ?

 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎12-13-2023 10:15 PM

Check out the docs for foreach

https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/foreach

The <<FIELD>> template is replaced with the value of the field being iterated through. In your context, it is the value of the row* field being evaluated.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...