Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Showing all fields in search (including empty)

djfang
Explorer
‎07-17-2015 06:55 AM

Hi,

I would like to know how to show all fields in the search even when results are all empty for some of the fields.

I've tried

| fillnull value="NA"

but that only works when there's at least a value in the empty field.

So, I would like splunk to show the following:

header 1 | header2 | header 3
value 1 | < empty > | value 3
value 1 | < empty > | value 3
value 1 | < empty > | value 3
value 1 | < empty > | value 3
value 1 | < empty > | value 3

I would appreciate for any suggestions on this.

Also, I understand that one can also possible do something like

| eval header2=""

but I have over 200 fields and about a handful of them are not filled out depending on situations and would hope to see if there's a better way to do this than listing all the header fields manually in the beginning.

Cheers!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-17-2015 09:03 AM

I have 2 solutions:

You create a macro and use it like this:

... | `myfillnull()` | ...

Inside this macro you would iterate out every field like this:

eval header1=coalesce(header1,"N/A") | eval header2=coalesce(header2,"N/A") | ... | eval headerN=coalesce(headerN,"N/A")

Alternatively, you could create a lookup with each field laid out like this:

useThisToStripOut,header1,header2,...,headerN
useThisToStripOut,N/A,N/A,...,N/A

Then you could force each field to exist at least once by with append, then use fillnull, then remove the appended event like this:

... | append [|lookupcsv myfillnull] | fillnull value="N/A" | where isnotnull(usetThisToStripOut)

The latter is probably more efficient.

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-17-2015 09:03 AM

I have 2 solutions:

You create a macro and use it like this:

... | `myfillnull()` | ...

Inside this macro you would iterate out every field like this:

eval header1=coalesce(header1,"N/A") | eval header2=coalesce(header2,"N/A") | ... | eval headerN=coalesce(headerN,"N/A")

Alternatively, you could create a lookup with each field laid out like this:

useThisToStripOut,header1,header2,...,headerN
useThisToStripOut,N/A,N/A,...,N/A

Then you could force each field to exist at least once by with append, then use fillnull, then remove the appended event like this:

... | append [|lookupcsv myfillnull] | fillnull value="N/A" | where isnotnull(usetThisToStripOut)

The latter is probably more efficient.

Reply
Solved! Jump to solution

djfang
Explorer
‎07-17-2015 07:04 AM

This is a follow up to the question that was previously asked but no conclusion was achieved.

https://answers.splunk.com/answers/67740/how-to-detect-and-fill-default-value-to-empty-value-field.h...

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-17-2015 09:06 AM

That question not only has answers, one of them was "conclusively" Accepted as "the answer".

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...