Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use variable within foreach command?

sats2020
New Member
‎04-26-2017 09:42 AM

I'm looping through JSON array and compare each value using a temporary variable but due to some reason the temporary variable is not getting set when I iterate the JSON array.

Please find the code snippet below

index="snow_incident"
| head 1 
| spath path=result{} output=x
| fields - _raw
| mvexpand x
| spath input=x
| eval major_inc_temp = ""
| foreach x [eval Uptime = if(match(major_inc_temp,u_major_incident),"100","200")
| eval major_inc_temp = u_major_incident] | table major_inc_temp,Uptime, cmdb_ci

Please do let me know how do I address this problem

0 Karma
Reply

lguinn2
Legend
‎04-26-2017 01:53 PM

The foreach command iterates over a set of fields - not events. So if I had 6 fields with names that all started with Percent, I could use the foreach command to do the same set of actions for each field Percent*.

You don't specify iteration in Splunk like in programming languages. In fact, you generally don't specify iteration at all.

I suspect that what you want is quite different. You have a set of events and you want to calculate a few field for the various subsets of events. Try something like this:

index="snow_incident"
| head 1 
| spath path=result{} output=x
| fields - _raw
| mvexpand x
| spath input=x
| eval Uptime = if(match(major_inc_temp,u_major_incident),"100","200")
| eval major_inc_temp = u_major_incident
| table major_inc_temp, Uptime, cmdb_ci

The next question is: what do you want to accomplish? Are you trying to find a maximum of something? More info would really be helpful.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...
Top