Re: Foreach in Multisearch

IRHM73 · ‎02-27-2019

Hi, I wonder whether someone can help me please.

I've put together the query below using the foreach command, which, although I've read a lot of posts, I've not really used, or if truth be known understood a great deal.

| multisearch
[ search `gateway_wmf(ClientRequest)` path=*vat*]
[ search `wso2_wmf(RequestCompleted)` "request.detail.apiContext"=*test]
| eval RequestID=coalesce('request.tags.X-Request-ID','requestID')
| dedup eventId
| rename request.detail.applicationProductionClientId as ClientID response.detail.statusCode AS statusCode
| foreach clientHeaders.test* [eval header='<<FIELD>>']
| stats count(header) by RequestID

The query runs, but there is no new field called "header" created and hence I don't receive my stats count at the end of the query.

Could someone perhaps have a look a this please and offer some guidance on where I've gone wrong and a brief explanation of the 'foreach' command.

Many thanks and kind regards

Chris

tiagofbmm · ‎02-28-2019

If there is no header field on the search result I guess there is no fields clientHeaders.test with a suffix.

Check this dummy example, where only one field called header is created, which seems to not have much logic when framing this with the foreach command

| makeresults | eval clientHeaders.test1=1, clientHeaders.test2=2 | foreach clientHeaders.test* [eval header='<>']

If you want a field header_ for each of the clientHeaders.test, you can use

| makeresults | eval clientHeaders.test1=1, clientHeaders.test2=2 | foreach clientHeaders.test* [eval header_<>='<>']

In my opinion it doesn't seem to be what you want to achieve from what I get from your query. Would you put here an anonymyzed example of existing fields at this point:

| multisearch
[ search gateway_wmf(ClientRequest) path=vat]
[ search wso2_wmf(RequestCompleted) "request.detail.apiContext"=*test]
| eval RequestID=coalesce('request.tags.X-Request-ID','requestID')
| dedup eventId
| rename request.detail.applicationProductionClientId as ClientID response.detail.statusCode AS statusCode

And get us what you want to get in the end?

mstjohn_splunk · ‎02-28-2019

Hi @tiagofbmm would you mind copying this solution, and posting it in this post: https://answers.splunk.com/answers/730424/foreach-in-multisearch-1.html

Unfortunately, this question is a duplicate of another post, which mean that I have to close it.

Thanks, and let me know if you have any questions.

tiagofbmm · ‎03-01-2019

@mstjohn_splunk no worries, it's done 😉

mstjohn_splunk · ‎03-01-2019

@tiagofbmm Thanks so much!

IRHM73 · ‎02-28-2019

Hi @tiagofbmm . Thank you for taking the time to come back to me with this.

The query I posted is correct except for the .test. It is something mores restricted but the process should be the same and so I have changed this when I use it in my system.

There are up to 15 'client,header' fields and may be more in the future so I thought, perhaps wrongly that by using 'foreach clientHeaders.test*' would future proof.

Many thanks and kind regards

Chris

Foreach in Multisearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation