Splunk Search

How to get foreach, eval, and subsearch to work together in my search?

Explorer

Basically, what I need to do is take some values (x, y, z) that are stored in the summary index, then for each x value, run a subsearch to find values for foo and bar, then create one record with x, y, z, foo, and bar.

Pseudo search:

index=summary earliest=01/01/2016:00:00:00 search_name= | foreach x [eval foo=[search earliest=01/01/2016:00:00:00 <> | fields foo | dedup foo | return $foo]] | foreach x [eval bar=[search earliest=01/01/2016:00:00:00 <> | fields bar | dedup bar | return $foo]]

Where I'm running into trouble is getting eval to accept a string value from return.

A foreach/eval/subsearch works when I return a number:

index=summary earliest=01/01/2016:00:00:00 search_name= | head 2 | foreach x [eval bar=[search earliest=01/01/2016:00:00:00 | head 1 | eval myvar=9 | return $myvar]]

But the same combo fails to populate bar if I return a string:

index=summary earliest=01/01/2016:00:00:00 search_name= | head 2 | foreach x [eval bar=[search earliest=01/01/2016:00:00:00 | head 1 | eval myvar="alskdfj" | return $myvar]]

If I take out the subsearch, eval will accept the string:

index=summary earliest=01/01/2016:00:00:00 search_name= | head 2 | foreach x [eval bar="alskdfj"]

Does anyone know why eval works in the first and third case, but not the second?

0 Karma
1 Solution

Legend

Legend

Explorer

That got me closer. It didn't print out pretty, but since I'm collecting the data for the summary index, it doesn't matter. Thanks!

For posterity's sake:

index=summary earliest=01/01/2016:00:00:00 search_name=redacted | map search="search earliest=01/01/2016:00:00:00 $var_from_query$ |eval var_from_query=$var_from_query$ | stats values(var_from_query), values(var_from_map_search) by redacted | collect marker=\"search_name=testing\" "

This works on small batches, but for some reason only returns 10 rows, when the initial search has over 100,000. On to the next mystery.

Update: there's a maxsearches parameter for the map command, which is by default set to 10.