Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Foreach command with eval if

mah
Builder
‎01-03-2022 08:18 AM

Hi, 

I have a table like that :

teststate_Astate_Bstate_C
1okko- WARNko - ERROR
2ko- WARNokok
3okokok

 

I would like to create a field "global_state" with "done" value if all fields state_* value are "OK" , if not write "issue":

teststate_Astate_Bstate_Cglobal_state
1okko- WARNko - ERRORissue
2ko- WARNokokissue
3okokokdone

I tried this foreach but not working :

| foreach state_*  [ eval global_state= if(<<FIELD>>=="ko- WARN" OR <<FIELD>>=="ko - ERROR", "issue", "done") ]

The second condition in the if is not applied. 

Can you help me please?

Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-04-2022 07:20 AM

Your issue is that you evaluate the field with each foreach call (as per the name).

So effectively you're getting only the final value. In the first row you're gonna get "issue" properly as the result because you have a "not OK" value in the last field but in the second row the global_state gets evaluated to "issue" for state_A but is immediately overwritten with "done" from state_B and then from state_C.

In such case you'd rather want to define an initial value beforehand  and then overwrite it if there is a need to do so. Like

<your search>
| eval global_state="done"
| foreach state_*
   [ eval global_state=if(<<FIELD>>!="ok","issue",global_state) ]

 This way you set your global_state initially to "done" and then if you encounter any value other than "ok" in any of the state_* fields, it's getting overwritten to "issue".

Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-03-2022 11:02 AM

It looks like global_state will be set based only on the last field evaluated.  See if this variation helps.

| eval ok_count = 0
| foreach state_*  [ eval ok_count = ok_count + case(<<FIELD>>=="ko-WARN", 0, <<FIELD>>=="ko-ERROR", 0, 1==1, 1) ]
| eval global_state = if(ok_count==3, "done", "issue")

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

mah
Builder
‎01-04-2022 07:05 AM

Hi @richgalloway 

Your example did not work, it gave me same issue than my search.

0 Karma
Reply

johnhuang
Motivator
‎01-04-2022 09:06 PM

Here are 2 ways to skin this cat.

 

| eval combined_state=TRIM(state_A)."-".TRIM(state_B)."-".TRIM(state_C)
| eval global_state=IF(combined_state="ok-ok-ok", "done", "issue")

 

| foreach state_* [| eval combined_state=MVAPPEND(combined_state, TRIM(<<FIELD>>))]
| eval combined_state=MVDEDUP(combined_state)
| eval global_state=IF(MVCOUNT(combined_state)==1 AND combined_state="ok", "done", "issue")
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
Top