Solved: Re: Why is the 'foreach' command losing event data...

jpawloski · ‎04-22-2019

I'm running Splunk 6.2. I'm dealing with events that have varying amounts of multivalue fields (some events have one, others have up to 12+). The fields follow a field_name0001naming convention, like so :

 base search | eval dataReceived="" | foreach datarcvd_000* [eval dataReceived=dataReceived."<<FIELD>>"." ".'<<FIELD>>'." " ] | table _time dataReceived

When I run this against a week's worth of events, there are several that return nothing in the dataReceived field despite the raw event fields being present, and it's always the same handful of events that return null. But what really throws me is that if I filter the base search to return a single uncooperative event, the foreach works and it suddenly starts returning data in dataReceived as expect. What gives?

woodcock · ‎04-22-2019

Try this:

base search
| eval dataReceived=""
| foreach datarcvd_000* [eval dataReceived=if(isnotnull(<<FIELD>>), dataReceived."<<FIELD>>"." ".'<<FIELD>>'." ", dataReceived]
| table _time dataReceived

View solution in original post

woodcock · ‎04-22-2019

Try this:

base search
| eval dataReceived=""
| foreach datarcvd_000* [eval dataReceived=if(isnotnull(<<FIELD>>), dataReceived."<<FIELD>>"." ".'<<FIELD>>'." ", dataReceived]
| table _time dataReceived

woodcock · ‎04-22-2019

If any event does not contain ALL possible datarcvd_000* values, then your original eval will fail.

jpawloski · ‎05-18-2019

You've done it once again, woodcock. Thanks!

Why is the 'foreach' command losing event data?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases