https://community.splunk.com/t5/Splunk-Search/How-come-this-doesn-t-work-given-indexers-csv-is-a-list-of/m-p/631932#M219495 <P>That is not what foreach is designed for. It looks like you want to run a search using the value of each splunk_server in your lookup, so use a subsearch like this</P><LI-CODE lang="markup">index=_introspection sourcetype=splunk_resource_usage component=IOStats [ | inputlookup indexers.csv | rename splunk_server as host ] | eval reads_ps = 'data.reads_ps' | eval writes_ps = 'data.writes_ps' </LI-CODE><P>I have left out the last two avg() statements as that is not how eval works - eval is to perform an action on a single event. If you want to create averages, use some form of stats command, e.g.</P><LI-CODE lang="markup">| stats avg(write_ps) as writes_ps avg(reads_ps) as reads_ps by host</LI-CODE> Wed, 22 Feb 2023 22:52:30 GMT bowesmana 2023-02-22T22:52:30Z https://community.splunk.com/t5/Splunk-Search/How-come-this-doesn-t-work-given-indexers-csv-is-a-list-of/m-p/631930#M219493 <P>How come this doesn't work given indexers.csv is a list of Splunk servers with role Indexer?</P> <P>| inputlookup indexers.csv| rename splunk_server as Indxr| foreach Indxr [search index=_introspection sourcetype=splunk_resource_usage component=IOStats host=Indxr | eval reads_ps = 'data.reads_ps'| eval writes_ps = 'data.writes_ps' | eval writes_ps=avg(write_ps) | eval reads_ps=avg(reads_ps)]</P> Wed, 22 Feb 2023 23:05:15 GMT https://community.splunk.com/t5/Splunk-Search/How-come-this-doesn-t-work-given-indexers-csv-is-a-list-of/m-p/631930#M219493 albledsoe 2023-02-22T23:05:15Z https://community.splunk.com/t5/Splunk-Search/How-come-this-doesn-t-work-given-indexers-csv-is-a-list-of/m-p/631932#M219495 <P>That is not what foreach is designed for. It looks like you want to run a search using the value of each splunk_server in your lookup, so use a subsearch like this</P><LI-CODE lang="markup">index=_introspection sourcetype=splunk_resource_usage component=IOStats [ | inputlookup indexers.csv | rename splunk_server as host ] | eval reads_ps = 'data.reads_ps' | eval writes_ps = 'data.writes_ps' </LI-CODE><P>I have left out the last two avg() statements as that is not how eval works - eval is to perform an action on a single event. If you want to create averages, use some form of stats command, e.g.</P><LI-CODE lang="markup">| stats avg(write_ps) as writes_ps avg(reads_ps) as reads_ps by host</LI-CODE> Wed, 22 Feb 2023 22:52:30 GMT https://community.splunk.com/t5/Splunk-Search/How-come-this-doesn-t-work-given-indexers-csv-is-a-list-of/m-p/631932#M219495 bowesmana 2023-02-22T22:52:30Z https://community.splunk.com/t5/Splunk-Search/How-come-this-doesn-t-work-given-indexers-csv-is-a-list-of/m-p/631937#M219497 <P>Yep, that's it. It's been sometime since I wrote SPL.&nbsp; I had been using the REST API in Bash and Javascript. But many don't want to run my scripts. So I am trying to convert to copy/paste SPL. Thanks for the quick tutorial.</P> Wed, 22 Feb 2023 23:21:15 GMT https://community.splunk.com/t5/Splunk-Search/How-come-this-doesn-t-work-given-indexers-csv-is-a-list-of/m-p/631937#M219497 albledsoe 2023-02-22T23:21:15Z