Splunk Search

Foreach Not Working

IRHM73
Motivator

Hi,

I wonder whether someone can help me please.

I've put together the following query:

`real-time-information_wmf(ServiceRequestReceived)` 
| rex field=detail.filterFields "\((?<myField>.*)\)" 
| makemv myField 
| mvexpand myField
| makemv delim="," myField
| eval wibble {myField}=myField
| eval header=""
| foreach wibble* [eval header=header+'<<MATCHSTR>>']
| chart sum(wibble*) as wibble* by _time

There are a couple of issues with this.

On the eval wibble line, the new field has a comma added to the field name, even though it's been removed on the makemv line.

Then the second and most important issue is that when I run the query, the chart only shows the 'wibble fieldnames.

I just wondered whether someone could look at this please and let me know where I've gone wrong.

Many thanks and kind regards

Chris

0 Karma
1 Solution

IRHM73
Motivator

Hi @kamlesh_vaghela.

Thank you for getting in touch with me, and I'm so sorry it's taken some time to come back to you.

I have come up with the following solution:

`real-time-information_wmf(ServiceRequestReceived)` 
| rex field=detail.filterFields "\((?<Fields>.*)\)" 
| makemv Fields 
| makemv delim="," Fields 
| mvexpand Fields
| eval nField {Fields}=Fields
| foreach nField* [eval <<MATCHSTR>> = '<<FIELD>>']
| chart values(detail.serviceName) AS "Service Name" count(nField*) as * by _time 

Many thanks and kind regards

Chris

View solution in original post

0 Karma

IRHM73
Motivator

Hi @kamlesh_vaghela.

Thank you for getting in touch with me, and I'm so sorry it's taken some time to come back to you.

I have come up with the following solution:

`real-time-information_wmf(ServiceRequestReceived)` 
| rex field=detail.filterFields "\((?<Fields>.*)\)" 
| makemv Fields 
| makemv delim="," Fields 
| mvexpand Fields
| eval nField {Fields}=Fields
| foreach nField* [eval <<MATCHSTR>> = '<<FIELD>>']
| chart values(detail.serviceName) AS "Service Name" count(nField*) as * by _time 

Many thanks and kind regards

Chris

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@IRHM73

Great. Please accept your answer.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@IRHM73

Can you please share sample event and expected output?

0 Karma
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...