Hello there,
I am having a hard time figuring out how to use / how is working foreach + eval.
I have something like :
Which can be obtained using this search:
| makeresults
| eval a="test"
| eval result_a_version_1=1
| eval result_a_version_2=3
| eval result_b_version_1=5
| eval result_b_version_2=2
| fields - _time
| table a result_a_version_1 result_b_version_1 result_a_version_2 result_b_version_2
And I am trying to use foreach/eval to get this :
Matching search :
| makeresults
| eval a="test"
| eval result_a_version_1=1
| eval result_a_version_2=3
| eval result_b_version_1=5
| eval result_b_version_2=2
| fields - _time
| eval tota_a_b_version_1=result_a_version_1+result_b_version_1
| eval tota_a_b_version_2=result_a_version_2+result_b_version_2
| table a result_a_version_1 result_b_version_1 tota_a_b_version_1 result_a_version_2 result_b_version_2 tota_a_b_version_2
As the version number can vary, I am guessing I have to use foreach somehow.
Thanks in advance for any tip!
Hi @D2SI,
I'm able to total of similar version. Can you please try the following search. I'm still working on the field name.
| makeresults
| eval test="test"
| eval result_a_version_1=1
| eval result_a_version_2=3
| eval result_b_version_1=5
| eval result_b_version_2=2
| eval result_a_version_3=50
| eval result_b_version_3=20
| fields - _time
| table test result_a_version_1 result_b_version_1 result_a_version_2 result_b_version_2 result_a_version_3 result_b_version_3
| foreach result_*_version_*
[ eval total_of_version_<<MATCHSEG2>>=if(isnotnull(total_of_version_<<MATCHSEG2>>),total_of_version_<<MATCHSEG2>>+'<<FIELD>>','<<FIELD>>') ]
Thanks
Hi @D2SI,
I'm able to total of similar version. Can you please try the following search. I'm still working on the field name.
| makeresults
| eval test="test"
| eval result_a_version_1=1
| eval result_a_version_2=3
| eval result_b_version_1=5
| eval result_b_version_2=2
| eval result_a_version_3=50
| eval result_b_version_3=20
| fields - _time
| table test result_a_version_1 result_b_version_1 result_a_version_2 result_b_version_2 result_a_version_3 result_b_version_3
| foreach result_*_version_*
[ eval total_of_version_<<MATCHSEG2>>=if(isnotnull(total_of_version_<<MATCHSEG2>>),total_of_version_<<MATCHSEG2>>+'<<FIELD>>','<<FIELD>>') ]
Thanks
Seems to be what I was after using MATCHSEG2, thanks a lot !
Glad to help you.
Happy Splunking