Splunk Search

Can I limit foreach iterations, or place a where clause (or other filter) in the foreach subsearch?

testingMemes
Engager

Can I limit foreach iterations, or place a where clause (or other filter) in the foreach subsearch?

I'm attempting to flatten a JSON field because I have multiple "roots" of the json, that host the same fields I need access to.  For instance: json1.x.y json2.x.y json3.x.y and I want to work with all of the "y" fields at once by referencing them as "y".  I know a single "y" that will always exist, but the others are potentially dynamic, so I can't hardcode the json flattening with a rename.  Currently I'm running the below search, with the issue being "| foreach *.jsonConstant.*" iterates through all the json roots (1/2/3) and makes my results null if the correct root wasn't the last to run.   I'm unsure why it iterates through all json roots as the current event all columns related to other roots are null.

 

 

 

MYSEARCH ("json1.jsonConstant.knownName"=* OR "json2.jsonConstant.knownName"=* OR "json3.jsonConstant.knownName"=*)  
| eval jsonRoot=case(isnotnull('json1.jsonConstant.knownName'),"json1", isnotnull('json2.jsonConstant.knownName'),"json2", isnotnull('json3.jsonConstant.knownName'),"json3",1=1,0) 
| eval temp=""
| foreach *.jsonConstant.* matchseg1=SEG1 matchseg2=SEG2 
       [ eval temp= temp . "|" . jsonRoot .":"."<<FIELD>>".":"."SEG1"."/"."SEG2"
       | eval SEG2 = '<<FIELD>>'
       ]
| stats count by knownName

 

 

 

An example of the error I get would be:
Event1: root for this event is json1, but the knownName is null because the foreach ran on json1, json2, and json3. And the most recent loop for json3 was null for all fields.
Event 2: root for this event is json3, All fields extract/flatten correctly because json3 ran last.

The temp field above is what I'm using to debug.
I can't run a where clause within the foreach subsearch because it never runs any of the code in the foreach subsearch.

 

Labels (2)
0 Karma
1 Solution

johnhuang
Motivator

You can check to make sure the field value is not null before assigning the value.

Either of these should work:

| eval SEG2=IF(ISNOTNULL(<<FIELD>>), '<<FIELD>>', SEG2)

 

| eval SEG2=COALESCE('<<FIELD>>', SEG2)

 

View solution in original post

johnhuang
Motivator

You can check to make sure the field value is not null before assigning the value.

Either of these should work:

| eval SEG2=IF(ISNOTNULL(<<FIELD>>), '<<FIELD>>', SEG2)

 

| eval SEG2=COALESCE('<<FIELD>>', SEG2)

 

testingMemes
Engager

Exactly what I needed! Thanks!

Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...