topic Re: Why is the 'foreach' command losing event data? in Splunk Search

Why is the 'foreach' command losing event data?

jpawloski — Mon, 22 Apr 2019 21:40:42 GMT

I'm running Splunk 6.2. I'm dealing with events that have varying amounts of multivalue fields (some events have one, others have up to 12+). The fields follow a field_name0001naming convention, like so :

 base search | eval dataReceived="" | foreach datarcvd_000* [eval dataReceived=dataReceived."<<FIELD>>"." ".'<<FIELD>>'." " ] | table _time dataReceived

When I run this against a week's worth of events, there are several that return nothing in the dataReceived field despite the raw event fields being present, and it's always the same handful of events that return null. But what really throws me is that if I filter the base search to return a single uncooperative event, the foreach works and it suddenly starts returning data in dataReceived as expect. What gives?

Re: Why is the 'foreach' command losing event data?

woodcock — Tue, 23 Apr 2019 02:01:18 GMT

Try this:

base search
| eval dataReceived=""
| foreach datarcvd_000* [eval dataReceived=if(isnotnull(<<FIELD>>), dataReceived."<<FIELD>>"." ".'<<FIELD>>'." ", dataReceived]
| table _time dataReceived

Re: Why is the 'foreach' command losing event data?

woodcock — Tue, 23 Apr 2019 02:02:17 GMT

If any event does not contain ALL possible datarcvd_000* values, then your original eval will fail.

Re: Why is the 'foreach' command losing event data?

jpawloski — Sat, 18 May 2019 11:23:34 GMT

You've done it once again, woodcock. Thanks!