Suppose that you have a Splunk query that returns a result set with some duplicate fields. Would you like to remove the duplicate fields so that you can quickly identify the differenes between each result? Here’s a macro to do it!

eventstats values

| foreach values(*)   
    [ nomv <<FIELD>> ]   
| foreach * [ eval <<FIELD>>=if('<<FIELD>>'=='values(<<FIELD>>)',NULL(),'<<FIELD>>') ]   
| fields - values(*)  
| `remove_empty_fields`

Notice the last line - this macro calls remove_empty_fields which I created a couple of weeks ago. And they say Object-oriented code reuse is dead… Pfft!

Keep in mind the Splunk diff command, which performs similarly and may be more appropriate for your situation.

I really enjoy creating reusable design patterns like this. Please let me know if you need help creating Splunk artifacts (apps, dashboards, alerts) for your own situation. Thanks for reading!