Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with foreach on REST endpoint data

andrew_nelson
Communicator
‎09-30-2022 06:02 AM

I'm trying to get a list of fields by sourcetype without going down the route of fieldsummary and thought analyzing the props configs would be a good place to start. 

I'm starting with EVAL generated fields but not having any luck on the foreach section.
Any pointers would be much appreciated.

 

| rest splunk_server=local /servicesNS/-/-/configs/conf-props 
| table title EVAL-a* 
| eval eval_fields="" 
| foreach EVAL-* 
    [ eval eval_fields=if(isnotnull(<<FIELD>>), mvappend(eval_fields,'<<MATCHSTR>>'), eval_fields) ] 
| table title eval_fields *

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-30-2022 06:25 AM

@andrew_nelson 

Can you please try this in foreach?

[ eval eval_fields= if(isnotnull('<<FIELD>>'), mvappend(eval_fields,"<<MATCHSTR>>"), eval_fields) ]

 

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-30-2022 06:39 AM

You're very close.  The <<FIELD>> specifier should be enclosed in single quotes so Splunk treats "EVAL-action" as a field name instead of an expression.  Also, <<MATCHSTR>> should be in double quotes so the string "action" rather than the non-existent field 'action' is appended to eval_fields.

| rest splunk_server=local /servicesNS/-/-/configs/conf-props 
| fields title EVAL-a* 
| eval eval_fields="" 
| foreach EVAL-*
    [ eval eval_fields=if(isnotnull('<<FIELD>>'), mvappend(eval_fields,"<<MATCHSTR>>"), eval_fields) ] 
| table title eval_fields *

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

andrew_nelson
Communicator
‎09-30-2022 07:01 AM

Thanks Rich. I was thinking along the lines of putting anything in double quotes would be interpreted literally so <<MATCHSTR>> would have ended up in my multivalue field. 
Thanks for the detailed explanation. 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-30-2022 07:11 AM

Understood.  Like $tokens$ in dashboards and the map command, <<tokens>> in foreach are always expanded, even when quoted.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-30-2022 06:25 AM

@andrew_nelson 

Can you please try this in foreach?

[ eval eval_fields= if(isnotnull('<<FIELD>>'), mvappend(eval_fields,"<<MATCHSTR>>"), eval_fields) ]

 

I hope this will help you.

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

Reply
Solved! Jump to solution

andrew_nelson
Communicator
‎09-30-2022 06:29 AM

You're a legend KV  ! Thanks a million.
Been annoying me all day trying to figure out this. 

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-30-2022 06:31 AM

😊😍

0 Karma
Reply
Get Updates on the Splunk Community!

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...