topic Re: foreach issue in Splunk Search

foreach issue

akawacz — Mon, 26 Oct 2015 14:34:15 GMT

Hi,

Can FOREACH commnad can read text value ? I am having issue to create new columns
foreach IM_* [eval TYPE='<<FIELD>>']

So if columns name are A, B ,C .... I would like to create eval expression eval TYPE= A eval TYPE = B and so on...which create automatically instead of creating them one by one.

Thank you

Re: foreach issue

woodcock — Mon, 26 Oct 2015 14:46:44 GMT

I cannot make sense of your question as it is written. It will REALLY help if you give an example dataset and also an example of desired final output.

Re: foreach issue

richgalloway — Mon, 26 Oct 2015 15:08:53 GMT

If you have fields called 'A', 'B', and 'C', then foreach IM_* ... will not match on them. Perhaps there is another way to accomplish your goal if you'll tell us what you want to do.

Re: foreach issue

akawacz — Mon, 26 Oct 2015 16:51:24 GMT

Hi
Sorry for not clear explanation. I have just figured out myself

My point was to create two new fileds :
FLAG- is showing how many fileds are populated for some values (1 if it is some value)
TYPE - is creating a lot of new fileds with the name of the column

So i get two new flags fileds FLAG, TYPE

eval TYPE= "" | foreach IM_* [eval TYPE= TYPE.if(isnotnull('<<MATCHSTR>>'), "<<MATCHSTR>>#", "")] | makemv delim="#" TYPE | foreach IM_* [eval FLAG=if(isnull(<<MATCHSTR>>),0,1)]

Re: foreach issue

richgalloway — Mon, 26 Oct 2015 17:01:31 GMT

Please accept your answer so others who have a similar problem in the future can find it.

Re: foreach issue

woodcock — Mon, 26 Oct 2015 17:28:57 GMT

I edited your answer to fix some markdown problems but I am not sure that I got it correct so please do double-check before clicking "Accept". I am pretty sure that your FLAG part is wrong because the assignment is overwriting itself every time so you are only getting the effect of the last field. Perhaps you meant this?

eval TYPE= "" | foreach IM_* [eval TYPE= TYPE.if(isnotnull('<<MATCHSTR>>'), "<<MATCHSTR>>#", "")] | makemv delim="#" TYPE | foreach IM_* [eval FLAG=FLAG + if(isnull(<<MATCHSTR>>),0,1)]

Re: foreach issue

akawacz — Tue, 29 Sep 2020 07:40:49 GMT

it is happening like you said. Last value is shown in the FLAG. I was trying to add this part what you mentioned but unfortunately is not working.

However I have made this simpler. I have changed FLAG eval expression. Results are expected (Now it is showing me how many values are in the every column. )
Previous version also works but second FOREACH statement did not do anything- all job is done in status - count)

eval TYPE= "" | foreach IM_* [eval TYPE= TYPE.if(isnotnull('<>'), "<>#", "")] | makemv delim="#" TYPE |
eval FLAG="FLAG" | stats count(FLAG) as COUNT by TYPE, REPORT_PERIOD