Solved: skip step in foreach

spisiakmi · ‎09-05-2025

Hi, any help, please?

Here is the code

Output is: tmp=1||3

I would like to have output tmp="1|3", it means how to skip the step in foreach, if the <<FIELD>> is null?

livehybrid · ‎09-05-2025

Hi @spisiakmi

I dont think your isnotnull is matchnig as you expect on "", try this:

| makeresults
| eval tmp_1=1
| eval tmp_2=""
| eval tmp_3=3
| eval tmp=""
| foreach tmp_*
[| eval tmp = tmp.if(<<FIELD>>!="",<<FIELD>>."|","")]
| eval tmp=trim(tmp,"|")
| table tmp

View solution in original post

livehybrid · ‎09-05-2025

Hi @spisiakmi

I dont think your isnotnull is matchnig as you expect on "", try this:

| makeresults
| eval tmp_1=1
| eval tmp_2=""
| eval tmp_3=3
| eval tmp=""
| foreach tmp_*
[| eval tmp = tmp.if(<<FIELD>>!="",<<FIELD>>."|","")]
| eval tmp=trim(tmp,"|")
| table tmp

spisiakmi · ‎09-05-2025

livehybrid thank you very much, simple, easy, fast. Very good.

gcusello · ‎09-05-2025

Hi @spisiakmi ,

please try this:

| makeresults
| eval tmp_1=1
| eval tmp_2=""
| eval tmp_3=3
| eval tmp=""
| foreach tmp_*
[| eval tmp = tmp ."|".if(isnotnull(<<FIELD>>),<<FIELD>>,"")]
| eval tmp=substr(tmp, 2)
| rex field=tmp mode=sed "s/\|+/|/g"
| table tmp

Ciao.

Giuseppe

spisiakmi · ‎09-05-2025

Hey gcusello, thank you very much.

skip step in foreach

subsearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Join the Conversation