Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Foreach command with eval if

mah
Builder
‎01-03-2022 08:18 AM

Hi, 

I have a table like that :

teststate_Astate_Bstate_C
1okko- WARNko - ERROR
2ko- WARNokok
3okokok

 

I would like to create a field "global_state" with "done" value if all fields state_* value are "OK" , if not write "issue":

teststate_Astate_Bstate_Cglobal_state
1okko- WARNko - ERRORissue
2ko- WARNokokissue
3okokokdone

I tried this foreach but not working :

| foreach state_*  [ eval global_state= if(<<FIELD>>=="ko- WARN" OR <<FIELD>>=="ko - ERROR", "issue", "done") ]

The second condition in the if is not applied. 

Can you help me please?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-04-2022 07:20 AM

Your issue is that you evaluate the field with each foreach call (as per the name).

So effectively you're getting only the final value. In the first row you're gonna get "issue" properly as the result because you have a "not OK" value in the last field but in the second row the global_state gets evaluated to "issue" for state_A but is immediately overwritten with "done" from state_B and then from state_C.

In such case you'd rather want to define an initial value beforehand  and then overwrite it if there is a need to do so. Like

<your search>
| eval global_state="done"
| foreach state_*
   [ eval global_state=if(<<FIELD>>!="ok","issue",global_state) ]

 This way you set your global_state initially to "done" and then if you encounter any value other than "ok" in any of the state_* fields, it's getting overwritten to "issue".

Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-03-2022 11:02 AM

It looks like global_state will be set based only on the last field evaluated.  See if this variation helps.

| eval ok_count = 0
| foreach state_*  [ eval ok_count = ok_count + case(<<FIELD>>=="ko-WARN", 0, <<FIELD>>=="ko-ERROR", 0, 1==1, 1) ]
| eval global_state = if(ok_count==3, "done", "issue")

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

mah
Builder
‎01-04-2022 07:05 AM

Hi @richgalloway 

Your example did not work, it gave me same issue than my search.

0 Karma
Reply

johnhuang
Motivator
‎01-04-2022 09:06 PM

Here are 2 ways to skin this cat.

 

| eval combined_state=TRIM(state_A)."-".TRIM(state_B)."-".TRIM(state_C)
| eval global_state=IF(combined_state="ok-ok-ok", "done", "issue")

 

| foreach state_* [| eval combined_state=MVAPPEND(combined_state, TRIM(<<FIELD>>))]
| eval combined_state=MVDEDUP(combined_state)
| eval global_state=IF(MVCOUNT(combined_state)==1 AND combined_state="ok", "done", "issue")
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...