Splunk Search

Can I limit foreach iterations, or place a where clause (or other filter) in the foreach subsearch?

testingMemes
Engager

Can I limit foreach iterations, or place a where clause (or other filter) in the foreach subsearch?

I'm attempting to flatten a JSON field because I have multiple "roots" of the json, that host the same fields I need access to.  For instance: json1.x.y json2.x.y json3.x.y and I want to work with all of the "y" fields at once by referencing them as "y".  I know a single "y" that will always exist, but the others are potentially dynamic, so I can't hardcode the json flattening with a rename.  Currently I'm running the below search, with the issue being "| foreach *.jsonConstant.*" iterates through all the json roots (1/2/3) and makes my results null if the correct root wasn't the last to run.   I'm unsure why it iterates through all json roots as the current event all columns related to other roots are null.

 

 

 

MYSEARCH ("json1.jsonConstant.knownName"=* OR "json2.jsonConstant.knownName"=* OR "json3.jsonConstant.knownName"=*)  
| eval jsonRoot=case(isnotnull('json1.jsonConstant.knownName'),"json1", isnotnull('json2.jsonConstant.knownName'),"json2", isnotnull('json3.jsonConstant.knownName'),"json3",1=1,0) 
| eval temp=""
| foreach *.jsonConstant.* matchseg1=SEG1 matchseg2=SEG2 
       [ eval temp= temp . "|" . jsonRoot .":"."<<FIELD>>".":"."SEG1"."/"."SEG2"
       | eval SEG2 = '<<FIELD>>'
       ]
| stats count by knownName

 

 

 

An example of the error I get would be:
Event1: root for this event is json1, but the knownName is null because the foreach ran on json1, json2, and json3. And the most recent loop for json3 was null for all fields.
Event 2: root for this event is json3, All fields extract/flatten correctly because json3 ran last.

The temp field above is what I'm using to debug.
I can't run a where clause within the foreach subsearch because it never runs any of the code in the foreach subsearch.

 

Labels (1)
0 Karma
1 Solution

johnhuang
Motivator

You can check to make sure the field value is not null before assigning the value.

Either of these should work:

| eval SEG2=IF(ISNOTNULL(<<FIELD>>), '<<FIELD>>', SEG2)

 

| eval SEG2=COALESCE('<<FIELD>>', SEG2)

 

View solution in original post

johnhuang
Motivator

You can check to make sure the field value is not null before assigning the value.

Either of these should work:

| eval SEG2=IF(ISNOTNULL(<<FIELD>>), '<<FIELD>>', SEG2)

 

| eval SEG2=COALESCE('<<FIELD>>', SEG2)

 

testingMemes
Engager

Exactly what I needed! Thanks!

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...