Hi All,
I have a requirement to use foreach with search filter.
Example fileds 192345_Employeestatus,207754_Employeestatus,158345_Employeestatus
| foreach *_Employeestatus [search <<MATCHSTR>>_Employeestatus='<<FIELD>>'
(('<<FIELD>>'="") OR ('<<FIELD>>'="new") OR ('<<FIELD>>'="Working") OR ('<<FIELD>>'="exit")
OR ('<<FIELD>>'="IND") OR ('<<FIELD>>'="Aus") OR ('<<FIELD>>'="relocated") OR ('<<FIELD>>'="yettojoin")
OR ('<<FIELD>>'="Manager") OR ('<<FIELD>>'="AsstManager") OR ('<<FIELD>>'="SeniorAss")) ]
But search filter is not filtering the data as expected.
Need your help ..
Thanks in advance..
Learner ...
The gentimes searches just generate some data. This is repeated in the filter search but this is just to get find all the fields which match *_Employeestatus. These are then transposed so column has all these field names. For each field name, create a mv-field with all the values you want to match on, mvexpand this to create a row for each *_Employeestatus field crossed with each value. Then return a field for each *_Employeestatus field with the value to be searched. This becomes your search filter.
| gentimes start=-1 increment=1h
| rename starttime as _time
| fields _time
| eval initial_Employeestatus=mvindex(split("fired,working,exit,,relocated",","),random()%4)
| eval current_Employeestatus=mvindex(split("fired,working,exit,,relocated",","),random()%4)
| eval future_Employeestatus=mvindex(split("fired,working,exit,,relocated",","),random()%4)
| search
[| gentimes start=-1 increment=1h
| rename starttime as _time
| fields _time
| eval initial_Employeestatus=mvindex(split("fired,working,exit,,relocated",","),random()%4)
| eval current_Employeestatus=mvindex(split("fired,working,exit,,relocated",","),random()%4)
| eval future_Employeestatus=mvindex(split("fired,working,exit,,relocated",","),random()%4)
| stats values(*_Employeestatus) as *_Employeestatus
| transpose 0
| eval status=split("exit,,relocated",",")
| fields column status
| mvexpand status
| eval {column}=status
| fields - column status]
| foreach *_Employeestatus [ eval Employeestatus=mvappend(Employeestatus,'<<FIELD>>')]
| streamstats count as session
| mvexpand Employeestatus
| search Employeestatus="" OR Employeestatus="new" OR ....
| stats values(*) as * by session
| fields - Emplyeestatus session
foreach can't use by search filter, I guess.
What problem are you trying to solve? Where did the requirement to use foreach come from?
Make sure the subsearch makes sense once the variables are substituted. For example:
search 192345_Employeestatus='192345_Employeestatus'
(('192345_Employeestatus'="") OR ('192345_Employeestatus'="new") OR ('192345_Employeestatus'="Working") OR ('192345_Employeestatus'="exit")
OR ('192345_Employeestatus'="IND") OR ('192345_Employeestatus'="Aus") OR ('192345_Employeestatus'="relocated") OR ('192345_Employeestatus'="yettojoin")
OR ('192345_Employeestatus'="Manager") OR ('192345_Employeestatus'="AsstManager") OR ('192345_Employeestatus'="SeniorAss"))
Thanks for your reply.
Now i have 3 field with prefix values of 192345_Employeestatus,207754_Employeestatus,158345_Employeestatus.
In future we will get some more fileds with XXXXXX_Employeestatus. We dont know wht will be that prefix numbers.
So now while writing query itself. We are looking for the solution to get the fields(192345_Employeestatus,207754_Employeestatus,158345_Employeestatus,XXXXXX_Employeestatus etc) in for loop and check them in search filter.
Im trying to use search filter with same values with different fields in foreach loop.
Thanks..