I'm running Splunk 6.2. I'm dealing with events that have varying amounts of multivalue fields (some events have one, others have up to 12+). The fields follow a field_name0001
naming convention, like so :
base search | eval dataReceived="" | foreach datarcvd_000* [eval dataReceived=dataReceived."<<FIELD>>"." ".'<<FIELD>>'." " ] | table _time dataReceived
When I run this against a week's worth of events, there are several that return nothing in the dataReceived
field despite the raw event fields being present, and it's always the same handful of events that return null. But what really throws me is that if I filter the base search to return a single uncooperative event, the foreach
works and it suddenly starts returning data in dataReceived
as expect. What gives?
Try this:
base search
| eval dataReceived=""
| foreach datarcvd_000* [eval dataReceived=if(isnotnull(<<FIELD>>), dataReceived."<<FIELD>>"." ".'<<FIELD>>'." ", dataReceived]
| table _time dataReceived
Try this:
base search
| eval dataReceived=""
| foreach datarcvd_000* [eval dataReceived=if(isnotnull(<<FIELD>>), dataReceived."<<FIELD>>"." ".'<<FIELD>>'." ", dataReceived]
| table _time dataReceived
If any event does not contain ALL possible datarcvd_000*
values, then your original eval
will fail.
You've done it once again, woodcock. Thanks!