Solved: Show only non-zero fields

ericchaucl · ‎08-20-2017

Hi,

How can I run a search and only display those columns with non-zero values? For example, I have fields test1, test2, test3, .... test99, in which only test2 and test10 are non-zero. Would be perfect if there is something like this:
| fields test* | where test* > 0

P.S. To be more specific, this scenario happens when I create and apply a TFIDF model. The system automatically generate a huge # of fields with suffix _tfidf. I would like to run some query and is interested in those non-zero fields only.

3no · ‎08-21-2017

Hey,

| table test* | transpose | rename column as Test "row 1" as count | where count > 0

3no.

View solution in original post

3no · ‎08-21-2017

Hey,

| table test* | transpose | rename column as Test "row 1" as count | where count > 0

3no.

ericchaucl · ‎08-21-2017

It works! Million thanks!

Show only non-zero fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation