Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Foreach Not Working

IRHM73
Motivator
‎04-05-2019 02:15 AM

Hi,

I wonder whether someone can help me please.

I've put together the following query:

`real-time-information_wmf(ServiceRequestReceived)` 
| rex field=detail.filterFields "\((?<myField>.*)\)" 
| makemv myField 
| mvexpand myField
| makemv delim="," myField
| eval wibble {myField}=myField
| eval header=""
| foreach wibble* [eval header=header+'<<MATCHSTR>>']
| chart sum(wibble*) as wibble* by _time

There are a couple of issues with this.

On the eval wibble line, the new field has a comma added to the field name, even though it's been removed on the makemv line.

Then the second and most important issue is that when I run the query, the chart only shows the 'wibble fieldnames.

I just wondered whether someone could look at this please and let me know where I've gone wrong.

Many thanks and kind regards

Chris

0 Karma
1 Solution
Solved! Jump to solution
Solution

IRHM73
Motivator
‎04-10-2019 10:42 PM

Hi @kamlesh_vaghela.

Thank you for getting in touch with me, and I'm so sorry it's taken some time to come back to you.

I have come up with the following solution:

`real-time-information_wmf(ServiceRequestReceived)` 
| rex field=detail.filterFields "\((?<Fields>.*)\)" 
| makemv Fields 
| makemv delim="," Fields 
| mvexpand Fields
| eval nField {Fields}=Fields
| foreach nField* [eval <<MATCHSTR>> = '<<FIELD>>']
| chart values(detail.serviceName) AS "Service Name" count(nField*) as * by _time

Many thanks and kind regards

Chris

View solution in original post

0 Karma
Solved! Jump to solution
Solution

IRHM73
Motivator
‎04-10-2019 10:42 PM

Hi @kamlesh_vaghela.

Thank you for getting in touch with me, and I'm so sorry it's taken some time to come back to you.

I have come up with the following solution:

`real-time-information_wmf(ServiceRequestReceived)` 
| rex field=detail.filterFields "\((?<Fields>.*)\)" 
| makemv Fields 
| makemv delim="," Fields 
| mvexpand Fields
| eval nField {Fields}=Fields
| foreach nField* [eval <<MATCHSTR>> = '<<FIELD>>']
| chart values(detail.serviceName) AS "Service Name" count(nField*) as * by _time

Many thanks and kind regards

Chris

0 Karma
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-10-2019 11:15 PM

@IRHM73

Great. Please accept your answer.

0 Karma
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎04-05-2019 02:26 AM

@IRHM73

Can you please share sample event and expected output?

0 Karma
Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques (Part 3)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Digital Resilience Assessment Launch | How prepared are you for disruption?

Disruption is inevitable. The question is – how prepared are you to handle it? In today’s fast-moving digital ...

Buttercup Games: Further Dashboarding Techniques (Part 2)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top