Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Foreach Not Working

IRHM73
Motivator
‎04-05-2019 02:15 AM

Hi,

I wonder whether someone can help me please.

I've put together the following query:

`real-time-information_wmf(ServiceRequestReceived)` 
| rex field=detail.filterFields "\((?<myField>.*)\)" 
| makemv myField 
| mvexpand myField
| makemv delim="," myField
| eval wibble {myField}=myField
| eval header=""
| foreach wibble* [eval header=header+'<<MATCHSTR>>']
| chart sum(wibble*) as wibble* by _time

There are a couple of issues with this.

On the eval wibble line, the new field has a comma added to the field name, even though it's been removed on the makemv line.

Then the second and most important issue is that when I run the query, the chart only shows the 'wibble fieldnames.

I just wondered whether someone could look at this please and let me know where I've gone wrong.

Many thanks and kind regards

Chris

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

IRHM73
Motivator
‎04-10-2019 10:42 PM

Hi @kamlesh_vaghela.

Thank you for getting in touch with me, and I'm so sorry it's taken some time to come back to you.

I have come up with the following solution:

`real-time-information_wmf(ServiceRequestReceived)` 
| rex field=detail.filterFields "\((?<Fields>.*)\)" 
| makemv Fields 
| makemv delim="," Fields 
| mvexpand Fields
| eval nField {Fields}=Fields
| foreach nField* [eval <<MATCHSTR>> = '<<FIELD>>']
| chart values(detail.serviceName) AS "Service Name" count(nField*) as * by _time

Many thanks and kind regards

Chris

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

IRHM73
Motivator
‎04-10-2019 10:42 PM

Hi @kamlesh_vaghela.

Thank you for getting in touch with me, and I'm so sorry it's taken some time to come back to you.

I have come up with the following solution:

`real-time-information_wmf(ServiceRequestReceived)` 
| rex field=detail.filterFields "\((?<Fields>.*)\)" 
| makemv Fields 
| makemv delim="," Fields 
| mvexpand Fields
| eval nField {Fields}=Fields
| foreach nField* [eval <<MATCHSTR>> = '<<FIELD>>']
| chart values(detail.serviceName) AS "Service Name" count(nField*) as * by _time

Many thanks and kind regards

Chris

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-10-2019 11:15 PM

@IRHM73

Great. Please accept your answer.

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-05-2019 02:26 AM

@IRHM73

Can you please share sample event and expected output?

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...