Solved: Can I loop through all my fields* using the foreac...

splunker1981 · ‎11-30-2017

Hello Splunk experts,

I'm trying to figure out a better way to handle the large number of case statements that I would need to null out values across my fields when the value stored = 001. I'm currently doing something like what I have shown below:

searchHere
| eval field1=case(field1 == 001, null(),1=1, field1) 
| eval field2=case(field2 == 001, null(),1=1, field2) 
| eval field3=case(field3 == 001, null(),1=1, field3)
 .... bunch more here
| stats values(*) by Key

This works as intended but compiling all these evals are a pain. I was trying to loop through all my fields* using the foreach command but I can't seem to get the fields to names to maintain their name

|foreach field* [eval <<FIELD>> = if(<<FIELD>> == 001, null(), 1=1, <<FIELD>>)]

splunker1981 · ‎11-30-2017

Figured out a better way to do this using streamstats

 | streamstats count as counter
 | stats values(*) as * by counter
 | fields - counter

View solution in original post

splunker1981 · ‎11-30-2017

Figured out a better way to do this using streamstats

 | streamstats count as counter
 | stats values(*) as * by counter
 | fields - counter

Can I loop through all my fields* using the foreach command, or in some way reduce the number of eval case statements in my search?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation