https://community.splunk.com/t5/Splunk-Search/foreach-with-subsearch/m-p/321386#M96001 <P>@kennethyeung, I think you intend to run the <CODE>map</CODE> command not foreach. <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map</A></P> <P>If it does not work for you, please re-post your existing search with <CODE>code button (101010)</CODE> so that special characters do not escape.</P> Wed, 06 Dec 2017 02:27:44 GMT niketn 2017-12-06T02:27:44Z https://community.splunk.com/t5/Splunk-Search/foreach-with-subsearch/m-p/321385#M96000 <P>i search in splunk , seem that foreach cannot pass the '&gt;FIELD&lt;' into Subsearch , i search that have to use map command<BR /> i have below search , could someone help me change to map search?</P> <P>index=test code IN (1,3) <BR /> | foreach 1 3 <BR /> [ eval code&lt;<FIELD>&gt;= [search index=test code=&lt;<FILED>&gt; | eval c= price|return $c ]]</FILED></FIELD></P> <P>Thanks</P> Wed, 06 Dec 2017 01:26:21 GMT https://community.splunk.com/t5/Splunk-Search/foreach-with-subsearch/m-p/321385#M96000 kennethyeung 2017-12-06T01:26:21Z https://community.splunk.com/t5/Splunk-Search/foreach-with-subsearch/m-p/321386#M96001 <P>@kennethyeung, I think you intend to run the <CODE>map</CODE> command not foreach. <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map</A></P> <P>If it does not work for you, please re-post your existing search with <CODE>code button (101010)</CODE> so that special characters do not escape.</P> Wed, 06 Dec 2017 02:27:44 GMT https://community.splunk.com/t5/Splunk-Search/foreach-with-subsearch/m-p/321386#M96001 niketn 2017-12-06T02:27:44Z https://community.splunk.com/t5/Splunk-Search/foreach-with-subsearch/m-p/321387#M96002 <P>Hello Niketnilay,</P> <P>I have some data like below</P> <P>date, code, price<BR /> 20171108,A,1<BR /> 20171109,A,1.5<BR /> 20171110,A,2<BR /> 20171108,B,10<BR /> 20171109,B,20<BR /> 20171110,B,5</P> <P>want to get result like below<BR /> date, codeA, codeB<BR /> 20171108,,0,0<BR /> 20171109,,50,200<BR /> 20171110,,200,-50</P> <P>my idea is <BR /> index=test code IN (1,3) <BR /> | foreach 1 3 <BR /> [ eval code&lt;&lt;101010)&gt; &gt; = [search index=test code=&lt;&lt;101010)&gt; &gt; | tail 1 | eval c= price|return $c ]]<BR /> | foreach code_* [eval p_code_&lt;&gt;=close/close_&lt;&gt;]<BR /> | ... chart sum(p_code) by date, code</P> <P>I need the subsearch to search the oldest record and return the price as the base.</P> <P>101010=FIELD</P> <P>Thank your for your help</P> Tue, 29 Sep 2020 17:08:52 GMT https://community.splunk.com/t5/Splunk-Search/foreach-with-subsearch/m-p/321387#M96002 kennethyeung 2020-09-29T17:08:52Z https://community.splunk.com/t5/Splunk-Search/foreach-with-subsearch/m-p/321388#M96003 <P>Thanks, i use join the solve my question, thank your for your help,<BR /> I am newibe in splunk, used to think as programmer.</P> <P>index=test code IN (A,B) </P> <P>| join code <BR /> [search index=test <BR /> | tail <BR /> [search |eval code_count = mvcount(split("A,B",","))<BR /> | return $code_count]<BR /> | table code, close<BR /> | rename close as baseclose]<BR /> | eval percent=(close-baseclose)/baseclose*100<BR /> | chart sum(percent) by date,code</P> Tue, 29 Sep 2020 17:09:00 GMT https://community.splunk.com/t5/Splunk-Search/foreach-with-subsearch/m-p/321388#M96003 kennethyeung 2020-09-29T17:09:00Z https://community.splunk.com/t5/Splunk-Search/foreach-with-subsearch/m-p/321389#M96004 <P>@kennethyeung, your query and use case is still not clear. The code button is in Splunk Answers Text Box when you type in.</P> <P>How you are calculating percent? Can you show example with data? What is the <CODE>close</CODE> field(it has not been mentioned in your prior posts)?</P> <P>Most likely you do not need join. You can check out <CODE>eventstats</CODE> to calculate stats like <CODE>sum(price) as Total by code</CODE> and persist the same on events. Then you can calculate percent later.</P> <P>Following is a run anywhere search that cooks up data as per your question. Commands till <CODE>| table date code price</CODE>, generate dummy data.</P> <PRE><CODE>| makeresults | eval data="20171108,A,1;20171109,A,1.5;20171110,A,2;20171108,B,10;20171109,B,20;20171110,B,5" | makemv data delim=";" | mvexpand data | eval data=split(data,",") | eval date=mvindex(data,0), code=mvindex(data,1), price=mvindex(data,2) | table date code price | eventstats sum(price) as Total by code | chart sum(price) as Price values(Total) as Total by date code | foreach "Price: *" [ eval "Percent: &lt;&lt;MATCHSTR&gt;&gt;"= round(('&lt;&lt;FIELD&gt;&gt;'/'Total: &lt;&lt;MATCHSTR&gt;&gt;')*100,1)] | table date Percent* </CODE></PRE> <P>PS: I am not sure on your logic for Calculation of Percent, but hopefully this should guide you.</P> Wed, 06 Dec 2017 07:01:47 GMT https://community.splunk.com/t5/Splunk-Search/foreach-with-subsearch/m-p/321389#M96004 niketn 2017-12-06T07:01:47Z