Splunk Search

Suppress NULL column in the result set

Path Finder

Hi,

My log snippet is as shown below:

productid=12 email=abc@gg.com
productid=13 email=pqr@aa.com
productid=14 email=xyz@cc.com
productid=15 email=xyz@cc.com

I've a timechart with below query:

index=myindex sourcetype=mylog | eval productname=case(productid==12,"Product1",productid==13,"Product2",productid==14,"Product3")| timechart count by productname

Now this chart shows legend properly. However, I've other productids present in the log due to which above query returns NULL as a column for the productids that are not present in the query.

Example: Here, for productid=15, it shows NULL as a column since I'm comparing only 12,13 & 14 productids. How can I suppress this NULL column?

Any help is much appreciated!

Thanks!

Tags (3)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

There are two choices here. The first is to use the usenull option to timechart:

index=myindex sourcetype=mylog
| eval productname=case(productid==12,"Product1",productid==13,"Product2",productid==14,"Product3")
| timechart count by productname usenull=f

The other is to explicitly filter before timechart:

index=myindex sourcetype=mylog
| eval productname=case(productid==12,"Product1",productid==13,"Product2",productid==14,"Product3")
| search productname=*
| timechart count by productname

View solution in original post

Splunk Employee
Splunk Employee

There are two choices here. The first is to use the usenull option to timechart:

index=myindex sourcetype=mylog
| eval productname=case(productid==12,"Product1",productid==13,"Product2",productid==14,"Product3")
| timechart count by productname usenull=f

The other is to explicitly filter before timechart:

index=myindex sourcetype=mylog
| eval productname=case(productid==12,"Product1",productid==13,"Product2",productid==14,"Product3")
| search productname=*
| timechart count by productname

View solution in original post