Splunk macro to remove empty fields

Submitted by northben on Thu, 09/26/2019 - 13:47

Categories:

splunk

If you have a Splunk query that returns empty fields, you can use this query to programatically remove these blanks.

foreach * [
| eval maybe<<FIELD>>=<<FIELD>>
| fields - <<FIELD>>
| rename maybe<<FIELD>> as <<FIELD>>
]

Happy Splunking!

note: after I created this macro, I realized I could reuse it to remove identical fields which you might also find useful.

northben's blog