Splunk Search

Can I limit foreach iterations, or place a where clause (or other filter) in the foreach subsearch?

testingMemes
Engager

Can I limit foreach iterations, or place a where clause (or other filter) in the foreach subsearch?

I'm attempting to flatten a JSON field because I have multiple "roots" of the json, that host the same fields I need access to.  For instance: json1.x.y json2.x.y json3.x.y and I want to work with all of the "y" fields at once by referencing them as "y".  I know a single "y" that will always exist, but the others are potentially dynamic, so I can't hardcode the json flattening with a rename.  Currently I'm running the below search, with the issue being "| foreach *.jsonConstant.*" iterates through all the json roots (1/2/3) and makes my results null if the correct root wasn't the last to run.   I'm unsure why it iterates through all json roots as the current event all columns related to other roots are null.

 

 

 

MYSEARCH ("json1.jsonConstant.knownName"=* OR "json2.jsonConstant.knownName"=* OR "json3.jsonConstant.knownName"=*)  
| eval jsonRoot=case(isnotnull('json1.jsonConstant.knownName'),"json1", isnotnull('json2.jsonConstant.knownName'),"json2", isnotnull('json3.jsonConstant.knownName'),"json3",1=1,0) 
| eval temp=""
| foreach *.jsonConstant.* matchseg1=SEG1 matchseg2=SEG2 
       [ eval temp= temp . "|" . jsonRoot .":"."<<FIELD>>".":"."SEG1"."/"."SEG2"
       | eval SEG2 = '<<FIELD>>'
       ]
| stats count by knownName

 

 

 

An example of the error I get would be:
Event1: root for this event is json1, but the knownName is null because the foreach ran on json1, json2, and json3. And the most recent loop for json3 was null for all fields.
Event 2: root for this event is json3, All fields extract/flatten correctly because json3 ran last.

The temp field above is what I'm using to debug.
I can't run a where clause within the foreach subsearch because it never runs any of the code in the foreach subsearch.

 

Labels (2)
0 Karma
1 Solution

johnhuang
Motivator

You can check to make sure the field value is not null before assigning the value.

Either of these should work:

| eval SEG2=IF(ISNOTNULL(<<FIELD>>), '<<FIELD>>', SEG2)

 

| eval SEG2=COALESCE('<<FIELD>>', SEG2)

 

View solution in original post

johnhuang
Motivator

You can check to make sure the field value is not null before assigning the value.

Either of these should work:

| eval SEG2=IF(ISNOTNULL(<<FIELD>>), '<<FIELD>>', SEG2)

 

| eval SEG2=COALESCE('<<FIELD>>', SEG2)

 

testingMemes
Engager

Exactly what I needed! Thanks!

Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...