Splunk Search

Foreach in Multisearch

IRHM73
Motivator

Hi, I wonder whether someone can help me please.

I've put together the query below using the foreach command, which, although I've read a lot of posts, I've not really used, or if truth be known understood a great deal.

| multisearch
[ search `gateway_wmf(ClientRequest)` path=*vat*]
[ search `wso2_wmf(RequestCompleted)` "request.detail.apiContext"=*test]
| eval RequestID=coalesce('request.tags.X-Request-ID','requestID')
| dedup eventId
| rename request.detail.applicationProductionClientId as ClientID response.detail.statusCode AS statusCode
| foreach clientHeaders.test* [eval header='<<FIELD>>']
| stats count(header) by RequestID 

The query runs, but there is no new field called "header" created and hence I don't receive my stats count at the end of the query.

Could someone perhaps have a look a this please and offer some guidance on where I've gone wrong and a brief explanation of the 'foreach' command.

Many thanks and kind regards

Chris

0 Karma

tiagofbmm
Influencer

If there is no header field on the search result I guess there is no fields clientHeaders.test with a suffix.

Check this dummy example, where only one field called header is created, which seems to not have much logic when framing this with the foreach command

| makeresults | eval clientHeaders.test1=1, clientHeaders.test2=2
| foreach clientHeaders.test* [eval header='<>']

If you want a field header_ for each of the clientHeaders.test, you can use

| makeresults | eval clientHeaders.test1=1, clientHeaders.test2=2
| foreach clientHeaders.test* [eval header_<>='<>']

In my opinion it doesn't seem to be what you want to achieve from what I get from your query. Would you put here an anonymyzed example of existing fields at this point:

| multisearch
[ search gateway_wmf(ClientRequest) path=vat]
[ search wso2_wmf(RequestCompleted) "request.detail.apiContext"=*test]
| eval RequestID=coalesce('request.tags.X-Request-ID','requestID')
| dedup eventId
| rename request.detail.applicationProductionClientId as ClientID response.detail.statusCode AS statusCode

And get us what you want to get in the end?

0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

Hi @tiagofbmm would you mind copying this solution, and posting it in this post: https://answers.splunk.com/answers/730424/foreach-in-multisearch-1.html

Unfortunately, this question is a duplicate of another post, which mean that I have to close it.

Thanks, and let me know if you have any questions.

0 Karma

tiagofbmm
Influencer

@mstjohn_splunk no worries, it's done 😉

0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

@tiagofbmm Thanks so much!

0 Karma

IRHM73
Motivator

Hi @tiagofbmm . Thank you for taking the time to come back to me with this.

The query I posted is correct except for the .test. It is something mores restricted but the process should be the same and so I have changed this when I use it in my system.

There are up to 15 'client,header' fields and may be more in the future so I thought, perhaps wrongly that by using 'foreach clientHeaders.test*' would future proof.

Many thanks and kind regards

Chris

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...