Splunk Search

Foreach fails if field contains colon or dot.

iet_ashish
Explorer

On running this search,

  | makeresults count=20
    | streamstats count
    | eval "genie.name"="foo", "genie:id"="bar"
    | foreach genie* 
        [eval new_<<MATCHSTR>>=<<FIELD>>+"some string"]

I am expecting that two new fields named new_name and new_id would show, but that doesn't happen. Also an error comes up Failed to parse templatized search for field 'genie:id'

I am running on my local Splunk instance.

Thanks.

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

It's not foreach that's failing, it's eval interpreting the dot as the concatenation operator. Enclose field names with operators in them in single quotes:

| foreach genie* [ eval new_<<MATCHSTR>> = '<<FIELD>>' + "some string" ]

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

It's not foreach that's failing, it's eval interpreting the dot as the concatenation operator. Enclose field names with operators in them in single quotes:

| foreach genie* [ eval new_<<MATCHSTR>> = '<<FIELD>>' + "some string" ]

iet_ashish
Explorer

Thank you so much. This worked.

0 Karma
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...