Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to hide a column in a table if every value in that column is null?

yacht_rock
Explorer
‎06-21-2016 02:18 PM

How can I hide/not display a column in a table if every value in that column is null? Sometimes the column will have values. Splunk does a weird table width vs. Length of column values so I'm trying to save space and decrease horizontal scrolling if I can.

Stats count by foo, boo, bar

Foo, boo, bar
123,456,null
123,890,null

Only want to see

Foo, boo
123,456
123,890

if bar is always null

Reply

nabeel652
Builder
‎02-19-2018 11:24 PM

Try appending this at the end of your search:

...your search | streamstats count as serial | stats values(*) as * by serial  | fields - serial
Reply

Gayatri
Explorer
‎08-08-2021 11:38 PM 
your search | streamstats count as serial | stats values(*) as * by serial  | fields - serial

Could you please explain how this command helps to hid columns which has null values in Splunk. 

0 Karma
Reply

romanwaldecker
Path Finder
‎02-09-2018 01:15 AM

Appending the transpose command two times will help you out.

I am referring to this answer in a similar thread:
https://answers.splunk.com/answers/241186/removing-null-columns-from-a-table.html#answer-593190

Simply add: 

| transpose 0
| transpose 0 header_field=column 
| fields - column

//

Some further notes:
- Why it works: When transposing a table, Splunk automatically removes every resulting empty row (= previously empty column).
- The 0option makes sure that every row and every column gets transposed.
- The only downside: The transpose command is pretty time-consuming. Use it carefully.
- For further info in Splunk Doku: https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Transpose

0 Karma
Reply

mprreddy51
Explorer
‎06-21-2016 03:38 PM

try this

base query....|fields - bar

0 Karma
Reply

yacht_rock
Explorer
‎06-21-2016 04:23 PM

Thank you for the reply, but that's not quite what I'm asking. I know you can explicitly exclude fields in a search's output via the fields command.

What I'm looking for is conditionally not showing a field if all the field's values are null, otherwise show the field

index=myindex xyz=abc | if (values(whatever_field) = null) then (table foo_field, bar_field) ELSE (table foo_field, bar_field, whatever_field))

Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...