Splunk macro to remove identical fields

Submitted by northben on Mon, 10/14/2019 - 23:04

Categories:

splunk

Suppose that you have a Splunk query that returns a result set with some duplicate fields. Would you like to remove the duplicate fields so that you can quickly identify the differenes between each result? Here's a macro to do it!

eventstats values 
| foreach values(*) 
    [ nomv <<FIELD>> ] 
| foreach * [ eval <<FIELD>>=if('<<FIELD>>'=='values(<<FIELD>>)',NULL(),'<<FIELD>>') ] 
| fields - values(*)
| `remove_empty_fields`

Notice the last line - this macro calls `remove_empty_fields` which I created a couple of weeks ago. And they say Object-oriented code reuse is dead... Pfft!

Keep in mind the Splunk diff command, which performs similarly and may be more appropriate for your situation.

I really enjoy creating reusable design patterns like this. Please let me know if you need help creating Splunk artifacts (apps, dashboards, alerts) for your own situation. Thanks for reading!

northben's blog

Secondary menu

You are here

Search form

Splunk macro to remove identical fields

Categories: