Splunk Search

Why I am not seeing the headers for columns that have all null values?

sandeepkumarmis
New Member

Hello,

I am using a curl command to extract data from Splunk. When at least one value for the column is there, I can see the header for that column, but when the entire column is null, I don't see the header itself. Can some one help me to fix this?

0 Karma

jkat54
SplunkTrust
SplunkTrust

I have a work around... i've seen this before and the conclusion is the API doesnt export the null values. This is the work around:

search index=indexname
| sort - _time 
| rename _time AS time 
| convert ctime(time)  
| eval fielda=if(isnull(fielda),",",fielda)
| eval fieldb=if(isnull(fieldb),",",fieldb)
| eval fieldc=if(isnull(fieldc),",",fieldc)
| eval fieldd=if(isnull(fieldd),",",fieldd)
| eval fielde=if(isnull(fielde),",",fielde)
| table fielda fieldb fieldc fieldd fielde

What it will do is replace null values with commas and then the API is forced to export in correct csv format.

0 Karma

jkat54
SplunkTrust
SplunkTrust

You can probably do this several other ways like the 'fill null value="," (fields here)'

0 Karma

jkat54
SplunkTrust
SplunkTrust

Use the fillnull command to fill the null values...

root search... | fillnull value=null | ... statistical/charting command

0 Karma

sandeepkumarmis
New Member

I tried this as well, but still I neither get the field null values nor the header names.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Can you please share the search?

0 Karma

sandeepkumarmis
New Member
curl -k -u  https://url  -d search="search index=   sourcetype= earliest=-30d latest=now | fillnull value=null |  sort -_time | rename _time AS time | convert ctime(time) | table field1,field2,field3,field4,field5,field5" -d output_mode=csv -o /home/username/test.csv

Output
field5
608
214
407
860
219
901
843
904
480

I am expecting something like
field1,field2,field3,field4,field5
,,,,608
,,,,214
,,,,407
,,,,860
,,,,219
,,,,901
,,,,843
,,,,904
,,,,480

0 Karma

jkat54
SplunkTrust
SplunkTrust

What API endpoint are you using? You only mention URL not /saved/searches/ ... etc

0 Karma

sundareshr
Legend

Try uppercase null .. | fillnull value=NULL

0 Karma

arobbins_splunk
Splunk Employee
Splunk Employee

OK... so since field1,field2,field3,field4 are null when you get to the pipe with fillnull, the search processor doesn't know that they exist, and therefore cannot fill them with null...

try:
... | fillnull value=NULL field1,field2,field3,field4,field5 | ...

that should explicitly tell the fillnull processor that those fields exist and need to be set.

0 Karma

arobbins_splunk
Splunk Employee
Splunk Employee

if you're using the preview_results endpoint with output_mode:json_rows, you should be able to set the field_list to include the fields you want. Those fields then should come back even if all the values are NULL.

0 Karma

sandeepkumarmis
New Member

I am using output_mod:csv.
I found this can not be done. 😞
http://docs.splunk.com/Documentation/Splunk/6.0/Data/Extractfieldsfromfileheadersatindextime

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!