Solved: How to use Foreach for multiple columns and multip...

ChioNeng · ‎10-16-2020

Hello, I'm having trouble figuring out how to use foreach + eval getting the difference of the fields.

I have something like this:

You can use this search to obtained the above result:

And I'm trying to use foreach/eval to get this:

Thanks in advance 🙂

renjith_nair · ‎10-16-2020

Try

| makeresults
| eval Country="PH"
| eval "2020-01 Actual"=1
| eval "2020-01 Forecast"=2
| eval "2020-02 Actual"=5
| eval "2020-02 Forecast"=4
| eval "2020-03 Actual"=50
| eval "2020-03 Forecast"=20
| append
[| makeresults
| eval Country="IND"
| eval "2020-01 Actual"=3
| eval "2020-01 Forecast"=3
| eval "2020-02 Actual"=2
| eval "2020-02 Forecast"=2
| eval "2020-03 Actual"=40
| eval "2020-03 Forecast"=23
]
| append
[| makeresults
| eval Country="SG"
| eval "2020-01 Actual"=2
| eval "2020-01 Forecast"=4
| eval "2020-02 Actual"=1
| eval "2020-02 Forecast"=9
| eval "2020-03 Actual"=30
| eval "2020-03 Forecast"=53 ]
| fields - _time
| eval prev=0
| foreach 20* [eval <<FIELD>>_DIFF='<<FIELD>>' - prev|eval prev='<<FIELD>>']
| fields - *Actual_DIFF,prev
| rename "* Forecast_DIFF" as "* Difference"

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair · ‎10-16-2020

Try

| makeresults
| eval Country="PH"
| eval "2020-01 Actual"=1
| eval "2020-01 Forecast"=2
| eval "2020-02 Actual"=5
| eval "2020-02 Forecast"=4
| eval "2020-03 Actual"=50
| eval "2020-03 Forecast"=20
| append
[| makeresults
| eval Country="IND"
| eval "2020-01 Actual"=3
| eval "2020-01 Forecast"=3
| eval "2020-02 Actual"=2
| eval "2020-02 Forecast"=2
| eval "2020-03 Actual"=40
| eval "2020-03 Forecast"=23
]
| append
[| makeresults
| eval Country="SG"
| eval "2020-01 Actual"=2
| eval "2020-01 Forecast"=4
| eval "2020-02 Actual"=1
| eval "2020-02 Forecast"=9
| eval "2020-03 Actual"=30
| eval "2020-03 Forecast"=53 ]
| fields - _time
| eval prev=0
| foreach 20* [eval <<FIELD>>_DIFF='<<FIELD>>' - prev|eval prev='<<FIELD>>']
| fields - *Actual_DIFF,prev
| rename "* Forecast_DIFF" as "* Difference"

---
What goes around comes around. If it helps, hit it with Karma 🙂

ChioNeng · ‎10-21-2020

@renjith_nair thanks for the answer 🙂

How to use Foreach for multiple columns and multiple rows?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation