We all know that foreach * will work on all the fields in the result row right...

Well it seems that when using datamodels, the wildcard for fields is not what it seems

| from datamodel:DataModelName
| foreach * [ eval field_list=mvappend(field_list, "<<MATCHSTR>>") ]
| table field_list, * _raw

With the above running on a suitably populated data model, the wildcard in the foreach and the one in the table statement give a different set of fields - but not always.

The foreach * will normally show the data seen in the backing event mapped onto the data model, whereas the table * will show the datamodel fields names, even if those fields are null.

However, I have run searches today, where the foreach statement is actually getting fields from the datamodel, where the fields do not exist in the data. 

It's Splunk 7.3.4. I have run these two searches which give different results, which are even stranger.

| from datamodel:Performance.CPU
| head 1
| foreach * [ eval field_list=mvappend(field_list, "<<MATCHSTR>>") ]
| table field_list, * _raw

| from datamodel:Performance.CPU
| foreach * [ eval field_list=mvappend(field_list, "<<MATCHSTR>>") ]
| table field_list, * _raw
| head 1

The first one gives me field_list containing all the fields from the Performance.CPU data model, including the inherited ones, such as hypervisor_id, but which are null and are definitely not in the data, whereas the second one just gives me a smaller list of the non null fields in the data model. However, the _raw data is the same in both cases.

Does anyone know what * should mean when dealing with data models and should it work the same in both foreach and table cases.