Solved: Can I loop through all my fields* using the foreac...

splunker1981 · ‎11-30-2017

Hello Splunk experts,

I'm trying to figure out a better way to handle the large number of case statements that I would need to null out values across my fields when the value stored = 001. I'm currently doing something like what I have shown below:

searchHere
| eval field1=case(field1 == 001, null(),1=1, field1) 
| eval field2=case(field2 == 001, null(),1=1, field2) 
| eval field3=case(field3 == 001, null(),1=1, field3)
 .... bunch more here
| stats values(*) by Key

This works as intended but compiling all these evals are a pain. I was trying to loop through all my fields* using the foreach command but I can't seem to get the fields to names to maintain their name

|foreach field* [eval <<FIELD>> = if(<<FIELD>> == 001, null(), 1=1, <<FIELD>>)]

splunker1981 · ‎11-30-2017

Figured out a better way to do this using streamstats

 | streamstats count as counter
 | stats values(*) as * by counter
 | fields - counter

View solution in original post

splunker1981 · ‎11-30-2017

Figured out a better way to do this using streamstats

 | streamstats count as counter
 | stats values(*) as * by counter
 | fields - counter

Can I loop through all my fields* using the foreach command, or in some way reduce the number of eval case statements in my search?

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Are you a member of the Splunk Community?

Can I loop through all my fields* using the foreach command, or in some way reduce the number of eval case statements in my search?

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern