I'm running Splunk 6.2. I'm dealing with events that have varying amounts of multivalue fields (some events have one, others have up to 12+). The fields follow a
field_name0001naming convention, like so :
base search | eval dataReceived="" | foreach datarcvd_000* [eval dataReceived=dataReceived."<<FIELD>>"." ".'<<FIELD>>'." " ] | table _time dataReceived
When I run this against a week's worth of events, there are several that return nothing in the
dataReceived field despite the raw event fields being present, and it's always the same handful of events that return null. But what really throws me is that if I filter the base search to return a single uncooperative event, the
foreach works and it suddenly starts returning data in
dataReceived as expect. What gives?
base search | eval dataReceived="" | foreach datarcvd_000* [eval dataReceived=if(isnotnull(<<FIELD>>), dataReceived."<<FIELD>>"." ".'<<FIELD>>'." ", dataReceived] | table _time dataReceived