Conditionally remove a field in Splunk

Question

I have a table generated by chart that lists the results of a compliance scan

These results are typically Pass, Fail, and Error - but sometimes there is "Unknown" as a response

I want to show the percentage of each (Pass, Fail, Error, Unknown), so I do the following:

| fillnull value=0 Pass Fail Error Unknown
| eval _total=Pass+Fail+Error+Unknown
<calculate percentages for each field>
<append "%" to each value (Pass, Fail, Error, Unknown)>

What I want to do is eliminate a "totally" empty column, and only display it if it actually exists somewhere in the source data (not merely because of the fillnull command)

Is this possible?

I was thinking something like this, but cannot figure out the second step:

| eventstats max(Unknown) as _unk
| <if _unk is 0, drop the field>

edit

This could just as easily be reworded to:

• if every entry for a given field is identical, remove it

Logically, this would look something like:

if(mvcount(values(fieldname))<2), fields - fieldname

Except, of course, that's not valid SPL

Answer 1

could you try that logic after the chart :

``` fill with null values ```
| fillnull value=null()
``` do 90° two time, droping empty/null ```
| transpose 0 include_empty=false | transpose 0 header_field=column | fields - column

[edit:] it is working when I do the following but not sure it is easy to make it working on all conditions

| stats count | eval keep=split("1 2 3 4 5"," ")  | mvexpand keep
| table keep nokeep
| fillnull value=null()
| transpose 0 include_empty=false | transpose 0 header_field=column | fields - column

[edit2:] and if you need to add more null() could be done like that

| stats count | eval keep=split("1 2 3 4 5"," "), nokeep=0  | mvexpand keep
| table keep nokeep
| foreach nokeep [ eval nokeep=if(nokeep==0,null(),nokeep) ]
| transpose 0 include_empty=false | transpose 0 header_field=column | fields - column