https://community.splunk.com/t5/Splunk-Search/using-foreach-at-the-beginning-of-the-query-fetching-less/m-p/365942#M107930 <P>Change line 6 in your first example to </P> <PRE><CODE>| search LoS != 1 OR isnull(LoS) </CODE></PRE> <P>and see if they reappear.</P> Fri, 27 Apr 2018 03:09:35 GMT DalJeanis 2018-04-27T03:09:35Z https://community.splunk.com/t5/Splunk-Search/using-foreach-at-the-beginning-of-the-query-fetching-less/m-p/365940#M107928 <PRE><CODE>index="index1" tdr=tdr1 OR tdr=tdr2 transaction id | foreach * [ rex field=&lt;&lt;FIELD&gt;&gt; mode=sed "s/{|}//g"] | eval _time=strptime(Qtime,"%Y-%m-%d %H:%M:%S.%3N") | eval LoS=if(tdr=1,Cos,null) | search LoS != 1 Los !=3 Los!=H LoS!=C .... .... | table ..... </CODE></PRE> <P>The above code returning 140 records. But the actual records are 200.</P> <PRE><CODE>index="index1" tdr=tdr1 OR tdr=tdr2 transaction id | eval _time=strptime(Qtime,"{%Y-%m-%d %H:%M:%S.%3N}") | eval LoS=if(tdr=1,Cos,null) | search LoS != {1} Los !={3} Los!={H} LoS!={C} .... .... | table ..... | foreach * [ rex field=&lt;&lt;FIELD&gt;&gt; mode=sed "s/{|}//g"] </CODE></PRE> <P>The above code is returning 200 records. </P> <P>Why foreach behaves differently in these two cases? <BR /> Please help me to understand the issue.</P> Fri, 27 Apr 2018 01:27:54 GMT https://community.splunk.com/t5/Splunk-Search/using-foreach-at-the-beginning-of-the-query-fetching-less/m-p/365940#M107928 angelinealex 2018-04-27T01:27:54Z https://community.splunk.com/t5/Splunk-Search/using-foreach-at-the-beginning-of-the-query-fetching-less/m-p/365941#M107929 <P>I don't have an answer, but I wonder if it would help you (and us) track down the issue if you look at the events that are not returned, perhaps with a search like this:</P> <PRE><CODE> index="index1" tdr=tdr1 OR tdr=tdr2 transaction id | foreach * [ rex field=&lt;&lt;FIELD&gt;&gt; mode=sed "s/{|}//g"] | eval _time=strptime(Qtime,"%Y-%m-%d %H:%M:%S.%3N") | eval LoS=.... | search LoS = 1 | table ..... </CODE></PRE> <P>It's worth pointing out that since we can't see your <CODE>eval</CODE> expression for LoS, it's tough to see the full picture of why searching for <CODE>!=1</CODE> and <CODE>!={1}</CODE> may return different sets of results.</P> Fri, 27 Apr 2018 01:53:32 GMT https://community.splunk.com/t5/Splunk-Search/using-foreach-at-the-beginning-of-the-query-fetching-less/m-p/365941#M107929 micahkemp 2018-04-27T01:53:32Z https://community.splunk.com/t5/Splunk-Search/using-foreach-at-the-beginning-of-the-query-fetching-less/m-p/365942#M107930 <P>Change line 6 in your first example to </P> <PRE><CODE>| search LoS != 1 OR isnull(LoS) </CODE></PRE> <P>and see if they reappear.</P> Fri, 27 Apr 2018 03:09:35 GMT https://community.splunk.com/t5/Splunk-Search/using-foreach-at-the-beginning-of-the-query-fetching-less/m-p/365942#M107930 DalJeanis 2018-04-27T03:09:35Z https://community.splunk.com/t5/Splunk-Search/using-foreach-at-the-beginning-of-the-query-fetching-less/m-p/365943#M107931 <P>Updated my queries. Please have a look.<BR /> tdrs always have the values with {} eg: {H} or {1}</P> Fri, 27 Apr 2018 16:41:08 GMT https://community.splunk.com/t5/Splunk-Search/using-foreach-at-the-beginning-of-the-query-fetching-less/m-p/365943#M107931 angelinealex 2018-04-27T16:41:08Z https://community.splunk.com/t5/Splunk-Search/using-foreach-at-the-beginning-of-the-query-fetching-less/m-p/365944#M107932 <P>Its not working. It always has value with {1}</P> Fri, 27 Apr 2018 17:19:07 GMT https://community.splunk.com/t5/Splunk-Search/using-foreach-at-the-beginning-of-the-query-fetching-less/m-p/365944#M107932 angelinealex 2018-04-27T17:19:07Z https://community.splunk.com/t5/Splunk-Search/using-foreach-at-the-beginning-of-the-query-fetching-less/m-p/365945#M107933 <P>In Example 1, Los always has a value = 1, since we strip off {} using foreach at the top before applying the condition check.</P> Tue, 01 May 2018 16:29:55 GMT https://community.splunk.com/t5/Splunk-Search/using-foreach-at-the-beginning-of-the-query-fetching-less/m-p/365945#M107933 rmuraly 2018-05-01T16:29:55Z