https://community.splunk.com/t5/Splunk-Enterprise/Help-with-foreach-on-REST-endpoint-data/m-p/615396#M14083 <P>You're very close.&nbsp; The <FONT face="courier new,courier">&lt;&lt;FIELD&gt;&gt;</FONT> specifier should be enclosed in single quotes so Splunk treats "EVAL-action" as a field name instead of an expression.&nbsp; Also, <FONT face="courier new,courier">&lt;&lt;MATCHSTR&gt;&gt;</FONT> should be in double quotes so the string "action" rather than the non-existent field 'action' is appended to eval_fields.</P><LI-CODE lang="markup">| rest splunk_server=local /servicesNS/-/-/configs/conf-props | fields title EVAL-a* | eval eval_fields="" | foreach EVAL-* [ eval eval_fields=if(isnotnull('&lt;&lt;FIELD&gt;&gt;'), mvappend(eval_fields,"&lt;&lt;MATCHSTR&gt;&gt;"), eval_fields) ] | table title eval_fields *</LI-CODE><P>&nbsp;</P> Fri, 30 Sep 2022 13:39:54 GMT richgalloway 2022-09-30T13:39:54Z https://community.splunk.com/t5/Splunk-Enterprise/Help-with-foreach-on-REST-endpoint-data/m-p/615384#M14078 <P>I'm trying to get a list of fields by sourcetype without going down the route of fieldsummary and thought analyzing the props configs would be a good place to start.&nbsp;<BR /><BR />I'm starting with EVAL generated fields but not having any luck on the foreach section.<BR />Any pointers would be much appreciated.</P> <P>&nbsp;</P> <LI-CODE lang="markup">| rest splunk_server=local /servicesNS/-/-/configs/conf-props | table title EVAL-a* | eval eval_fields="" | foreach EVAL-* [ eval eval_fields=if(isnotnull(&lt;&lt;FIELD&gt;&gt;), mvappend(eval_fields,'&lt;&lt;MATCHSTR&gt;&gt;'), eval_fields) ] | table title eval_fields *</LI-CODE> <P>&nbsp;</P> Fri, 30 Sep 2022 14:33:17 GMT https://community.splunk.com/t5/Splunk-Enterprise/Help-with-foreach-on-REST-endpoint-data/m-p/615384#M14078 andrew_nelson 2022-09-30T14:33:17Z https://community.splunk.com/t5/Splunk-Enterprise/Help-with-foreach-on-REST-endpoint-data/m-p/615392#M14080 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/229311">@andrew_nelson</a>&nbsp;</P><P>Can you please try this in foreach?</P><LI-CODE lang="markup">[ eval eval_fields= if(isnotnull('&lt;&lt;FIELD&gt;&gt;'), mvappend(eval_fields,"&lt;&lt;MATCHSTR&gt;&gt;"), eval_fields) ]</LI-CODE><P>&nbsp;</P><P>I hope this will help you.</P><P>Thanks<BR />KV<BR />If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.</P> Fri, 30 Sep 2022 13:25:33 GMT https://community.splunk.com/t5/Splunk-Enterprise/Help-with-foreach-on-REST-endpoint-data/m-p/615392#M14080 kamlesh_vaghela 2022-09-30T13:25:33Z https://community.splunk.com/t5/Splunk-Enterprise/Help-with-foreach-on-REST-endpoint-data/m-p/615394#M14081 <P>You're a legend KV&nbsp; ! Thanks a million.<BR />Been annoying me all day trying to figure out this.&nbsp;</P> Fri, 30 Sep 2022 13:29:57 GMT https://community.splunk.com/t5/Splunk-Enterprise/Help-with-foreach-on-REST-endpoint-data/m-p/615394#M14081 andrew_nelson 2022-09-30T13:29:57Z https://community.splunk.com/t5/Splunk-Enterprise/Help-with-foreach-on-REST-endpoint-data/m-p/615395#M14082 <P><span class="lia-unicode-emoji" title=":smiling_face_with_smiling_eyes:">😊</span><span class="lia-unicode-emoji" title=":smiling_face_with_heart_eyes:">😍</span></P> Fri, 30 Sep 2022 13:31:29 GMT https://community.splunk.com/t5/Splunk-Enterprise/Help-with-foreach-on-REST-endpoint-data/m-p/615395#M14082 kamlesh_vaghela 2022-09-30T13:31:29Z https://community.splunk.com/t5/Splunk-Enterprise/Help-with-foreach-on-REST-endpoint-data/m-p/615396#M14083 <P>You're very close.&nbsp; The <FONT face="courier new,courier">&lt;&lt;FIELD&gt;&gt;</FONT> specifier should be enclosed in single quotes so Splunk treats "EVAL-action" as a field name instead of an expression.&nbsp; Also, <FONT face="courier new,courier">&lt;&lt;MATCHSTR&gt;&gt;</FONT> should be in double quotes so the string "action" rather than the non-existent field 'action' is appended to eval_fields.</P><LI-CODE lang="markup">| rest splunk_server=local /servicesNS/-/-/configs/conf-props | fields title EVAL-a* | eval eval_fields="" | foreach EVAL-* [ eval eval_fields=if(isnotnull('&lt;&lt;FIELD&gt;&gt;'), mvappend(eval_fields,"&lt;&lt;MATCHSTR&gt;&gt;"), eval_fields) ] | table title eval_fields *</LI-CODE><P>&nbsp;</P> Fri, 30 Sep 2022 13:39:54 GMT https://community.splunk.com/t5/Splunk-Enterprise/Help-with-foreach-on-REST-endpoint-data/m-p/615396#M14083 richgalloway 2022-09-30T13:39:54Z https://community.splunk.com/t5/Splunk-Enterprise/Help-with-foreach-on-REST-endpoint-data/m-p/615400#M14085 <P>Thanks Rich. I was thinking along the lines of putting anything in double quotes would be interpreted literally so &lt;&lt;MATCHSTR&gt;&gt; would have ended up in my multivalue field.&nbsp;<BR />Thanks for the detailed explanation.&nbsp;</P> Fri, 30 Sep 2022 14:01:16 GMT https://community.splunk.com/t5/Splunk-Enterprise/Help-with-foreach-on-REST-endpoint-data/m-p/615400#M14085 andrew_nelson 2022-09-30T14:01:16Z https://community.splunk.com/t5/Splunk-Enterprise/Help-with-foreach-on-REST-endpoint-data/m-p/615402#M14086 <P>Understood.&nbsp; Like $tokens$ in dashboards and the <FONT face="courier new,courier">map</FONT> command, &lt;&lt;tokens&gt;&gt; in <FONT face="courier new,courier">foreach</FONT> are always expanded, even when quoted.</P> Fri, 30 Sep 2022 14:12:43 GMT https://community.splunk.com/t5/Splunk-Enterprise/Help-with-foreach-on-REST-endpoint-data/m-p/615402#M14086 richgalloway 2022-09-30T14:12:43Z