topic Re: Foreach in Multisearch in Splunk Search

Foreach in Multisearch

IRHM73 — Thu, 28 Feb 2019 07:14:10 GMT

Hi, I wonder whether someone can help me please.

I've put together the query below using the foreach command, which, although I've read a lot of posts, I've not really used, or if truth be known understood a great deal.

| multisearch
[ search `gateway_wmf(ClientRequest)` path=*vat*]
[ search `wso2_wmf(RequestCompleted)` "request.detail.apiContext"=*test]
| eval RequestID=coalesce('request.tags.X-Request-ID','requestID')
| dedup eventId
| rename request.detail.applicationProductionClientId as ClientID response.detail.statusCode AS statusCode
| foreach clientHeaders.test* [eval header='<<FIELD>>']
| stats count(header) by RequestID

The query runs, but there is no new field called "header" created and hence I don't receive my stats count at the end of the query.

Could someone perhaps have a look a this please and offer some guidance on where I've gone wrong and a brief explanation of the 'foreach' command.

Many thanks and kind regards

Chris

Re: Foreach in Multisearch

tiagofbmm — Thu, 28 Feb 2019 08:18:20 GMT

If there is no header field on the search result I guess there is no fields clientHeaders.test with a suffix.

Check this dummy example, where only one field called header is created, which seems to not have much logic when framing this with the foreach command

| makeresults | eval clientHeaders.test1=1, clientHeaders.test2=2 | foreach clientHeaders.test* [eval header='<>']

If you want a field header_ for each of the clientHeaders.test, you can use

| makeresults | eval clientHeaders.test1=1, clientHeaders.test2=2 | foreach clientHeaders.test* [eval header_<>='<>']

In my opinion it doesn't seem to be what you want to achieve from what I get from your query. Would you put here an anonymyzed example of existing fields at this point:

| multisearch
[ search gateway_wmf(ClientRequest) path=vat]
[ search wso2_wmf(RequestCompleted) "request.detail.apiContext"=*test]
| eval RequestID=coalesce('request.tags.X-Request-ID','requestID')
| dedup eventId
| rename request.detail.applicationProductionClientId as ClientID response.detail.statusCode AS statusCode

And get us what you want to get in the end?

Re: Foreach in Multisearch

IRHM73 — Thu, 28 Feb 2019 09:18:16 GMT

Hi @tiagofbmm . Thank you for taking the time to come back to me with this.

The query I posted is correct except for the .test. It is something mores restricted but the process should be the same and so I have changed this when I use it in my system.

There are up to 15 'client,header' fields and may be more in the future so I thought, perhaps wrongly that by using 'foreach clientHeaders.test*' would future proof.

Many thanks and kind regards

Chris

Re: Foreach in Multisearch

mstjohn_splunk — Thu, 28 Feb 2019 21:01:01 GMT

Hi @tiagofbmm would you mind copying this solution, and posting it in this post: https://answers.splunk.com/answers/730424/foreach-in-multisearch-1.html

Unfortunately, this question is a duplicate of another post, which mean that I have to close it.

Thanks, and let me know if you have any questions.

Re: Foreach in Multisearch

tiagofbmm — Fri, 01 Mar 2019 11:04:23 GMT

@mstjohn_splunk no worries, it's done 😉

Re: Foreach in Multisearch

mstjohn_splunk — Fri, 01 Mar 2019 22:53:51 GMT

@tiagofbmm Thanks so much!