Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question
Solved! Jump to solution

Can I loop through all my fields* using the foreach command, or in some way reduce the number of eval case statements in my search?

splunker1981
Path Finder
โ€Ž11-30-2017 10:50 AM

Hello Splunk experts,

I'm trying to figure out a better way to handle the large number of case statements that I would need to null out values across my fields when the value stored = 001. I'm currently doing something like what I have shown below:

searchHere
| eval field1=case(field1 == 001, null(),1=1, field1) 
| eval field2=case(field2 == 001, null(),1=1, field2) 
| eval field3=case(field3 == 001, null(),1=1, field3)
 .... bunch more here
| stats values(*) by Key

This works as intended but compiling all these evals are a pain. I was trying to loop through all my fields* using the foreach command but I can't seem to get the fields to names to maintain their name

|foreach field* [eval <<FIELD>> = if(<<FIELD>> == 001, null(), 1=1, <<FIELD>>)]
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

splunker1981
Path Finder
โ€Ž11-30-2017 12:00 PM

Figured out a better way to do this using streamstats

 | streamstats count as counter
 | stats values(*) as * by counter
 | fields - counter

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

splunker1981
Path Finder
โ€Ž11-30-2017 12:00 PM

Figured out a better way to do this using streamstats

 | streamstats count as counter
 | stats values(*) as * by counter
 | fields - counter

View solution in original post

0 Karma
Reply