cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Fenrir
Engager
Member since: ‎10-22-2019
‎06-05-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 1
Member Since ‎10-22-2019
Activity Feed
View All

Re: Dedup with removal of null columns

by in Splunk Enterprise Security
‎10-24-2019 11:47 AM
1 Karma
‎10-24-2019 11:47 AM
1 Karma
This does not work. I need to dedup before running this operation, which means I am forced to use fillnull. I cannot dedup after because there is no way to predict which columns will be removed. Maybe if there's a way I can set the fields that are being fillnulle'd to - back to null this would work? ... View more

Dedup with removal of null columns

by in Splunk Enterprise Security
‎10-22-2019 03:38 PM
‎10-22-2019 03:38 PM
I have a fairly complex query that ultimately outputs a large table with 23 fields and several dozen rows. Since the table is being populated from various data sourcetypes, I have an aggregate of all available fields from all sourcetypes, but all fields are not present in all sourcetypes. Assume there are 3 sourcetypes, they share 17 common fields, one has 3 unique, another 2, and the final sourcetype has 1 unique field. The resulting table will show the results, with all fields regardless if the original sourcetype contains them or not. Because of this, often one of those unique fields will be null across the entire column. Let's assume for simplicity the data returned from the original query and output to the table before any dedup/null removal is: | sourcetype | ip | hostname | os | status | department | |---------|---------|----------|---------|---------|------------| | type1 | value1 | value2 | null | value3 | null | | type2 | value1 | value2 | null | value3 | null | | type3 | value4 | value5 | value6 | value7 | null | In this instance, I would like to dedup rows 2 and 3 (I ignore sourcetype in the dedup, but I check all other fields present in the final tabl) in to a single result, and remove column 6, but I run in to the following problems: Dedup requires the values you want to check against. If I remove column 6 (department) first, I cannot generate my dedup command properly, as having "department" as an option results in no full match and the dedup doesn't do anything. I cannot run dedup first, as if I run it without using a fillnull, dedup will skip lines with null values in any of the specified columns. Now I cannot remove the null columns because the columns I want to remove are no longer null, they have a fillnull value. Also, as mentioned above, the results are fairly dynamic based on the data being searched for (this is being used on a dashboard with a query parameter input). Sometimes column 4 will be all null, or column 3. The solution needs to account for the dynamic nature of the results. Happy for any suggestions on how to overcome this, or just a confirmation that this will not be possible and I will need to find a different approach. Apologies if this doesn't make any sense, I am happy to clarify any points as needed. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
View All