https://community.splunk.com/t5/Splunk-Search/Reduce-a-result-set-using-the-foreach-splunk-search-command/m-p/199018#M57612 <P>The result of a splunk query is the following:</P> <P>Result set 1:</P> <PRE><CODE>method success failures Over_method1 Over_method2 Over_method3 method1 0 73 3 0 0 method2 196 0 0 2 0 </CODE></PRE> <P>I need to reduce this result set as follow:</P> <PRE><CODE>method success failures Over method1 0 73 3 method2 196 0 2 </CODE></PRE> <P>I tried using the search command <EM>foreach</EM> but no success.</P> <PRE><CODE>Splunk search to get result set 1| foreach Over_* [eval Over=Over+&lt;&lt;FIELD&gt;&gt;]| table method success failures Over </CODE></PRE> <P>OR </P> <PRE><CODE>Splunk to get result set 1| foreach Over_* [eval Over=Over+'&lt;&lt;FIELD&gt;&gt;']| table method success failures Over </CODE></PRE> <P>This could be done with the following query:</P> <PRE><CODE>Splunk search to get result set 1| =if(Over_method1&gt;0,Over_method1,if(Over_method2&gt;0,Over_method2,0))| table method success failures Over </CODE></PRE> <P>However, A simpler way is to use the foreach function. To make it work the mapping variable needs to be initialized as presented in below answer. If not the result set will not be reduced correctly. So the final query is:</P> <PRE><CODE>Splunk to get result set 1|eval Over=0| foreach Over_* [eval Over=Over+'&lt;&lt;FIELD&gt;&gt;']| table method success failures Over </CODE></PRE> <P>Thanks,<BR /> Lp</P> Mon, 16 Jun 2014 18:49:08 GMT lpolo 2014-06-16T18:49:08Z https://community.splunk.com/t5/Splunk-Search/Reduce-a-result-set-using-the-foreach-splunk-search-command/m-p/199018#M57612 <P>The result of a splunk query is the following:</P> <P>Result set 1:</P> <PRE><CODE>method success failures Over_method1 Over_method2 Over_method3 method1 0 73 3 0 0 method2 196 0 0 2 0 </CODE></PRE> <P>I need to reduce this result set as follow:</P> <PRE><CODE>method success failures Over method1 0 73 3 method2 196 0 2 </CODE></PRE> <P>I tried using the search command <EM>foreach</EM> but no success.</P> <PRE><CODE>Splunk search to get result set 1| foreach Over_* [eval Over=Over+&lt;&lt;FIELD&gt;&gt;]| table method success failures Over </CODE></PRE> <P>OR </P> <PRE><CODE>Splunk to get result set 1| foreach Over_* [eval Over=Over+'&lt;&lt;FIELD&gt;&gt;']| table method success failures Over </CODE></PRE> <P>This could be done with the following query:</P> <PRE><CODE>Splunk search to get result set 1| =if(Over_method1&gt;0,Over_method1,if(Over_method2&gt;0,Over_method2,0))| table method success failures Over </CODE></PRE> <P>However, A simpler way is to use the foreach function. To make it work the mapping variable needs to be initialized as presented in below answer. If not the result set will not be reduced correctly. So the final query is:</P> <PRE><CODE>Splunk to get result set 1|eval Over=0| foreach Over_* [eval Over=Over+'&lt;&lt;FIELD&gt;&gt;']| table method success failures Over </CODE></PRE> <P>Thanks,<BR /> Lp</P> Mon, 16 Jun 2014 18:49:08 GMT https://community.splunk.com/t5/Splunk-Search/Reduce-a-result-set-using-the-foreach-splunk-search-command/m-p/199018#M57612 lpolo 2014-06-16T18:49:08Z https://community.splunk.com/t5/Splunk-Search/Reduce-a-result-set-using-the-foreach-splunk-search-command/m-p/199019#M57613 <P>Try this</P> <PRE><CODE>Splunk search to get result set 1| eval Over=0 | foreach Over_* [eval Over=Over + &lt;&lt;FIELD&gt;&gt;]|table method success failures Over </CODE></PRE> <P>Alternative (using untable) </P> <PRE><CODE>Splunk search to get result set 1 | untable method key value | eval key=case(like(key,"Over%"),"Over",1=1,key) | chart sum(value) over method by key </CODE></PRE> Mon, 16 Jun 2014 20:01:37 GMT https://community.splunk.com/t5/Splunk-Search/Reduce-a-result-set-using-the-foreach-splunk-search-command/m-p/199019#M57613 somesoni2 2014-06-16T20:01:37Z https://community.splunk.com/t5/Splunk-Search/Reduce-a-result-set-using-the-foreach-splunk-search-command/m-p/199020#M57614 <P>Thanks. I made a little change for the eval expression to work, &lt;<FIELD>&gt; needs to be surrounded by single quotes. I updated the original question. </FIELD></P> <P>|Splunk search to get result set 1|eval Over=0 | foreach Over_* [eval Over=Over+'&lt;<FIELD>&gt;']|table method success failures Over</FIELD></P> Tue, 17 Jun 2014 11:29:05 GMT https://community.splunk.com/t5/Splunk-Search/Reduce-a-result-set-using-the-foreach-splunk-search-command/m-p/199020#M57614 lpolo 2014-06-17T11:29:05Z https://community.splunk.com/t5/Splunk-Search/Reduce-a-result-set-using-the-foreach-splunk-search-command/m-p/199021#M57615 <P>However, After reading the answer presented bellow I made a little change for the eval expression to work, &lt;<FIELD>&gt; needs to be surrounded by single quotes.</FIELD></P> Tue, 17 Jun 2014 11:32:04 GMT https://community.splunk.com/t5/Splunk-Search/Reduce-a-result-set-using-the-foreach-splunk-search-command/m-p/199021#M57615 lpolo 2014-06-17T11:32:04Z