Solved: Why is the 'foreach' command losing event data?

jpawloski · ‎04-22-2019

I'm running Splunk 6.2. I'm dealing with events that have varying amounts of multivalue fields (some events have one, others have up to 12+). The fields follow a field_name0001naming convention, like so :

 base search | eval dataReceived="" | foreach datarcvd_000* [eval dataReceived=dataReceived."<<FIELD>>"." ".'<<FIELD>>'." " ] | table _time dataReceived

When I run this against a week's worth of events, there are several that return nothing in the dataReceived field despite the raw event fields being present, and it's always the same handful of events that return null. But what really throws me is that if I filter the base search to return a single uncooperative event, the foreach works and it suddenly starts returning data in dataReceived as expect. What gives?

woodcock · ‎04-22-2019

Try this:

base search
| eval dataReceived=""
| foreach datarcvd_000* [eval dataReceived=if(isnotnull(<<FIELD>>), dataReceived."<<FIELD>>"." ".'<<FIELD>>'." ", dataReceived]
| table _time dataReceived

View solution in original post

woodcock · ‎04-22-2019

Try this:

base search
| eval dataReceived=""
| foreach datarcvd_000* [eval dataReceived=if(isnotnull(<<FIELD>>), dataReceived."<<FIELD>>"." ".'<<FIELD>>'." ", dataReceived]
| table _time dataReceived

woodcock · ‎04-22-2019

If any event does not contain ALL possible datarcvd_000* values, then your original eval will fail.

jpawloski · ‎05-18-2019

You've done it once again, woodcock. Thanks!

Why is the 'foreach' command losing event data?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation