Splunk Search

How to excuse a 'foreach' sequentially

New Member

Hello here is an example of the code I use:

index="Test"

 | append [search (type="1")

| stats   distinct_count(ID) as r by  type

 | eval ID1=(100.00-r)]


 | append [search (type="2")

| stats   distinct_count(ID) as r by  type

 | eval ID2=(100.00-r)]


 | append [search (type="3")

| stats   distinct_count(ID) as r by  type

 | eval ID3=(100.00-r)]


 |eval Min_all=101,Min_Comp=0, Min_Var1=ID1, Min_Var2=ID2, Min_Var3=ID3  

 |foreach Min_Var* [|eval Min_Comp=('<>')

     | eval Min_all=if(

        Min_Comp<Min_all,

            Min_Comp,

            Min_all) ]        
| stats first(ID1),first(ID2),first(ID3), first(Min_all), first(Min_Comp) by type

I have a problem with the execution of the "foreach" it always execute at the begining of the code and does not wait that the Min value have a value.
Do you know how to do it sequentialy ?

Thanks !

0 Karma

Super Champion

@telecomdesign, what are you trying to achieve ? You might not even to use foreach in this scenario.

0 Karma

New Member

Thank you, your answer was so usefull !
Now we want to have result by serial. So we have now 3 different values, and we would like to execute the foreach for each value.

Here the code' example

    index="Test"

      | append [search (type="1")

     | stats   distinct_count(ID) as r by  Serial

      | eval ID1=(100.00-r)]


      | append [search (type="2")

     | stats   distinct_count(ID) as r by  Serial

      | eval ID2=(100.00-r)]


      | append [search (type="3")

     | stats   distinct_count(ID) as r by  Serial

      | eval ID3=(100.00-r)]


      |eval Min_all=101,Min_Comp=0  
 | eventstats values(ID1) as Min_Var1 , values(ID2) as Min_Var2, values(ID3) as Min_Var3 

      |foreach Min_Var* [|eval Min_Comp=('<>')

          | eval Min_all=if(

             Min_Comp<Min_all,

                 Min_Comp,

                 Min_all) ]        

     | stats first(ID1),first(ID2),first(ID3), first(Min_all), first(Min_Comp) by Serial

example of our result

ID1 ID2 ID3 Min_all Min_comp
95 90 96 101 100
96 91 92 101 100
98 95 97 101 100

Min_all and Min_comp aren't right so we would like execute the foreach by line do you know how could we do it ?

0 Karma

Esteemed Legend

I will say it again. Don't focus on what doesn't work or what commands do what. Just tell us what you are trying to do and do it like this:
Show a set of sample events, then show a mockup of the desire result. THEN add some description of the steps (pseudocode, not SPL) of how to get from events to result.

0 Karma

Revered Legend

I would be great if you can post what output you're getting before and after the foreach command and highlighting where is problem is. With much information here, I would suggest this

replace below line in your search

|eval Min_all=101,Min_Comp=0, Min_Var1=ID1, Min_Var2=ID2, Min_Var3=ID3 

with

|eval Min_all=101,Min_Comp=0 | eventstats values(ID1) as Min_Var1 , values(ID2) as Min_Var2, values(ID3) as Min_Var3 
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!