topic How to use foreach with search filter? in Splunk Search

How to use foreach with search filter?

Shan — Wed, 17 Jun 2020 09:35:48 GMT

Hi All,

I have a requirement to use foreach with search filter.

Example fileds 192345_Employeestatus,207754_Employeestatus,158345_Employeestatus

| foreach *_Employeestatus [search <<MATCHSTR>>_Employeestatus='<<FIELD>>' (('<<FIELD>>'="") OR ('<<FIELD>>'="new") OR ('<<FIELD>>'="Working") OR ('<<FIELD>>'="exit") OR ('<<FIELD>>'="IND") OR ('<<FIELD>>'="Aus") OR ('<<FIELD>>'="relocated") OR ('<<FIELD>>'="yettojoin") OR ('<<FIELD>>'="Manager") OR ('<<FIELD>>'="AsstManager") OR ('<<FIELD>>'="SeniorAss")) ]

But search filter is not filtering the data as expected.
Need your help ..
Thanks in advance..

Learner ...

Re: How to use foreach with search filter?

richgalloway — Wed, 17 Jun 2020 13:35:21 GMT

What problem are you trying to solve? Where did the requirement to use foreach come from?

Make sure the subsearch makes sense once the variables are substituted. For example:

search 192345_Employeestatus='192345_Employeestatus' (('192345_Employeestatus'="") OR ('192345_Employeestatus'="new") OR ('192345_Employeestatus'="Working") OR ('192345_Employeestatus'="exit") OR ('192345_Employeestatus'="IND") OR ('192345_Employeestatus'="Aus") OR ('192345_Employeestatus'="relocated") OR ('192345_Employeestatus'="yettojoin") OR ('192345_Employeestatus'="Manager") OR ('192345_Employeestatus'="AsstManager") OR ('192345_Employeestatus'="SeniorAss"))

Re: How to use foreach with search filter?

Shan — Wed, 17 Jun 2020 15:44:30 GMT

@richgalloway.

Thanks for your reply.

Now i have 3 field with prefix values of 192345_Employeestatus,207754_Employeestatus,158345_Employeestatus.
In future we will get some more fileds with XXXXXX_Employeestatus. We dont know wht will be that prefix numbers.
So now while writing query itself. We are looking for the solution to get the fields(192345_Employeestatus,207754_Employeestatus,158345_Employeestatus,XXXXXX_Employeestatus etc) in for loop and check them in search filter.

Im trying to use search filter with same values with different fields in foreach loop.

Thanks..

Re: How to use foreach with search filter?

richgalloway — Wed, 17 Jun 2020 16:17:13 GMT

I'm still wondering if foreach is the right solution to the problem, but don't know what the problem is so can't determine if there's a better answer.

Re: How to use foreach with search filter?

to4kawa — Wed, 17 Jun 2020 20:25:33 GMT

| foreach *_Employeestatus [ eval Employeestatus=mvappend(Employeestatus,'<<FIELD>>')]
| streamstats count as session
| mvexpand Employeestatus
| search Employeestatus="" OR Employeestatus="new" OR ....
| stats values(*) as * by session
| fields - Emplyeestatus session

foreach can't use by search filter, I guess.

Re: How to use foreach with search filter?

Shan — Sun, 16 May 2021 11:49:47 GMT

Hi Experts,

Do we have solution for above mentioned issue in splunk now?

Thanks..

Re: How to use foreach with search filter?

ITWhisperer — Sun, 16 May 2021 12:49:10 GMT

The gentimes searches just generate some data. This is repeated in the filter search but this is just to get find all the fields which match *_Employeestatus. These are then transposed so column has all these field names. For each field name, create a mv-field with all the values you want to match on, mvexpand this to create a row for each *_Employeestatus field crossed with each value. Then return a field for each *_Employeestatus field with the value to be searched. This becomes your search filter.

| gentimes start=-1 increment=1h | rename starttime as _time | fields _time | eval initial_Employeestatus=mvindex(split("fired,working,exit,,relocated",","),random()%4) | eval current_Employeestatus=mvindex(split("fired,working,exit,,relocated",","),random()%4) | eval future_Employeestatus=mvindex(split("fired,working,exit,,relocated",","),random()%4) | search [| gentimes start=-1 increment=1h | rename starttime as _time | fields _time | eval initial_Employeestatus=mvindex(split("fired,working,exit,,relocated",","),random()%4) | eval current_Employeestatus=mvindex(split("fired,working,exit,,relocated",","),random()%4) | eval future_Employeestatus=mvindex(split("fired,working,exit,,relocated",","),random()%4) | stats values(*_Employeestatus) as *_Employeestatus | transpose 0 | eval status=split("exit,,relocated",",") | fields column status | mvexpand status | eval {column}=status | fields - column status]