Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to use variable within foreach command?

sats2020
New Member
‎04-26-2017 09:42 AM

I'm looping through JSON array and compare each value using a temporary variable but due to some reason the temporary variable is not getting set when I iterate the JSON array.

Please find the code snippet below

index="snow_incident"
| head 1 
| spath path=result{} output=x
| fields - _raw
| mvexpand x
| spath input=x
| eval major_inc_temp = ""
| foreach x [eval Uptime = if(match(major_inc_temp,u_major_incident),"100","200")
| eval major_inc_temp = u_major_incident] | table major_inc_temp,Uptime, cmdb_ci

Please do let me know how do I address this problem

0 Karma
Reply

lguinn2
Legend
‎04-26-2017 01:53 PM

The foreach command iterates over a set of fields - not events. So if I had 6 fields with names that all started with Percent, I could use the foreach command to do the same set of actions for each field Percent*.

You don't specify iteration in Splunk like in programming languages. In fact, you generally don't specify iteration at all.

I suspect that what you want is quite different. You have a set of events and you want to calculate a few field for the various subsets of events. Try something like this:

index="snow_incident"
| head 1 
| spath path=result{} output=x
| fields - _raw
| mvexpand x
| spath input=x
| eval Uptime = if(match(major_inc_temp,u_major_incident),"100","200")
| eval major_inc_temp = u_major_incident
| table major_inc_temp, Uptime, cmdb_ci

The next question is: what do you want to accomplish? Are you trying to find a maximum of something? More info would really be helpful.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Index This | What has goals but no motivation?

June 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...