Splunk macro to remove identical fields

Suppose that you have a Splunk query that returns a result set with some duplicate fields. Would you like to remove the duplicate fields so that you can quickly identify the differenes between each result? Here's a macro to do it!

eventstats values 
| foreach values(*) 
    [ nomv <<FIELD>> ] 
| foreach * [ eval <<FIELD>>=if('<<FIELD>>'=='values(<<FIELD>>)',NULL(),'<<FIELD>>') ] 
| fields - values(*)
| `remove_empty_fields`

Notice the last line - this macro calls `remove_empty_fields` which I created a couple of weeks ago. And they say Object-oriented code reuse is dead... Pfft!

Keep in mind the Splunk diff command, which performs similarly and may be more appropriate for your situation.

I really enjoy creating reusable design patterns like this. Please let me know if you need help creating Splunk artifacts (apps, dashboards, alerts) for your own situation. Thanks for reading!