Solved: Re: Why is foreach with wildcards not picking up a...

_jgpm_ · ‎12-08-2016

I'm not exactly sure why this isn't working. I couldn't find it in the documentation. I'm on 6.4.3.

basic search | table abc*abc def* |

This creates a table populated by fields that fit the wildcards. This would be an example table.

abc1abc|abc2abc|abc3abc|def1|def2|def3
sample1|sample2|sample3|123 |2345|null

Then I use foreach * [eval <<FIELD>>=1 ]

I'm doing this to just test what foreach is being applied to.

The table turns into:

abc1abc|abc2abc|abc3abc|def1|def2|def3
sample1|   1   |   1   |123 |2345|null

I have no idea why the * is only being applied to some subset of the fields. Is this somehow a carryover from the original table definition?

Thanks!

Flynt · ‎12-08-2016

Odd this seems to work fine for me but then I'm just using junk data.

|stats count|eval  abc1abc="sample1",cabc2abc="sample2", abc3abc="sample3", def1=123, def2=123, def3=""|fields - count| foreach * [eval <<FIELD>>=1 ]

On the offchance it's a naming issue, does adding "s work?

|stats count|eval  abc1abc="sample1",cabc2abc="sample2", abc3abc="sample3", def1=123, def2=123, def3=""|fields - count| foreach * [eval "<<FIELD>>"=1 ]

View solution in original post

Flynt · ‎12-08-2016

Odd this seems to work fine for me but then I'm just using junk data.

|stats count|eval  abc1abc="sample1",cabc2abc="sample2", abc3abc="sample3", def1=123, def2=123, def3=""|fields - count| foreach * [eval <<FIELD>>=1 ]

On the offchance it's a naming issue, does adding "s work?

|stats count|eval  abc1abc="sample1",cabc2abc="sample2", abc3abc="sample3", def1=123, def2=123, def3=""|fields - count| foreach * [eval "<<FIELD>>"=1 ]

somesoni2 · ‎12-08-2016

+1 on using double quotes around field name.

_jgpm_ · ‎12-08-2016

I'm not sure if I can replicate it here. My base search has 460K+ events. Suffice to say, I have 6 fields: 5 in the format abc*def and 1 in xyz_*.

This is a near cut & paste index=index1 tag=tag1 | table abc*def xyz_* | foreach * [ eval <>_flag=1 ]

the first field abcFOXdef,abcDOGdef have 8 fields that are full, rest are empty. abcCATdef, abcBIRDdef,abcCROWdef all have thousands of entries. xyz_STAR has 12 events.

Only abcCATdef, abcBIRDdef,abcCROWdef had _flag=1 fields created.

somesoni2 · ‎12-08-2016

The foreach will be applied to all the events, for each field, so not sure number of events will make a difference here. If you're not getting a <<FIELD>>_flag field created for a field with null values, then try using a fillnull command before foreach. Something like this

basic search | table abc*abc def* | fillnull value="null" abc*abc def* | foreach * [eval "<<FIELD>>_flag"=1 ]

OR

basic search | table abc*abc def* | fillnull value="null" abc*abc def* | foreach abc*abc def* [eval "<<FIELD>>_flag"=1 ]

_jgpm_ · ‎12-08-2016

fillnull definitely forced the FIELD_flag operation to occur for all fields. I used just 'fillnull value=""' and it worked. However, running fillnull on 460K x 6 fields caused my query to go from 38 secs to 56 secs. #firstworldproblems. I'm just using my laptop though. I will have to clean up some logic, but thank you for solving the issue!

Why is foreach with wildcards not picking up all fields in my search?

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!