- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to excuse a 'foreach' sequentially
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to excuse a 'foreach' sequentially
Hello here is an example of the code I use:
index="Test"
| append [search (type="1")
| stats distinct_count(ID) as r by type
| eval ID1=(100.00-r)]
| append [search (type="2")
| stats distinct_count(ID) as r by type
| eval ID2=(100.00-r)]
| append [search (type="3")
| stats distinct_count(ID) as r by type
| eval ID3=(100.00-r)]
|eval Min_all=101,Min_Comp=0, Min_Var1=ID1, Min_Var2=ID2, Min_Var3=ID3
|foreach Min_Var* [|eval Min_Comp=('<>')
| eval Min_all=if(
Min_Comp<Min_all,
Min_Comp,
Min_all) ]
| stats first(ID1),first(ID2),first(ID3), first(Min_all), first(Min_Comp) by type
I have a problem with the execution of the "foreach" it always execute at the begining of the code and does not wait that the Min value have a value.
Do you know how to do it sequentialy ?
Thanks !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@telecomdesign, what are you trying to achieve ? You might not even to use foreach in this scenario.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, your answer was so usefull !
Now we want to have result by serial. So we have now 3 different values, and we would like to execute the foreach for each value.
Here the code' example
index="Test"
| append [search (type="1")
| stats distinct_count(ID) as r by Serial
| eval ID1=(100.00-r)]
| append [search (type="2")
| stats distinct_count(ID) as r by Serial
| eval ID2=(100.00-r)]
| append [search (type="3")
| stats distinct_count(ID) as r by Serial
| eval ID3=(100.00-r)]
|eval Min_all=101,Min_Comp=0
| eventstats values(ID1) as Min_Var1 , values(ID2) as Min_Var2, values(ID3) as Min_Var3
|foreach Min_Var* [|eval Min_Comp=('<>')
| eval Min_all=if(
Min_Comp<Min_all,
Min_Comp,
Min_all) ]
| stats first(ID1),first(ID2),first(ID3), first(Min_all), first(Min_Comp) by Serial
example of our result
ID1 ID2 ID3 Min_all Min_comp
95 90 96 101 100
96 91 92 101 100
98 95 97 101 100
Min_all and Min_comp aren't right so we would like execute the foreach by line do you know how could we do it ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will say it again. Don't focus on what doesn't work or what commands do what. Just tell us what you are trying to do and do it like this:
Show a set of sample events, then show a mockup of the desire result. THEN add some description of the steps (pseudocode, not SPL) of how to get from events to result.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would be great if you can post what output you're getting before and after the foreach command and highlighting where is problem is. With much information here, I would suggest this
replace below line in your search
|eval Min_all=101,Min_Comp=0, Min_Var1=ID1, Min_Var2=ID2, Min_Var3=ID3
with
|eval Min_all=101,Min_Comp=0 | eventstats values(ID1) as Min_Var1 , values(ID2) as Min_Var2, values(ID3) as Min_Var3
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
