Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use variable within foreach command?

sats2020
New Member
‎04-26-2017 09:42 AM

I'm looping through JSON array and compare each value using a temporary variable but due to some reason the temporary variable is not getting set when I iterate the JSON array.

Please find the code snippet below

index="snow_incident"
| head 1 
| spath path=result{} output=x
| fields - _raw
| mvexpand x
| spath input=x
| eval major_inc_temp = ""
| foreach x [eval Uptime = if(match(major_inc_temp,u_major_incident),"100","200")
| eval major_inc_temp = u_major_incident] | table major_inc_temp,Uptime, cmdb_ci

Please do let me know how do I address this problem

0 Karma
Reply

lguinn2
Legend
‎04-26-2017 01:53 PM

The foreach command iterates over a set of fields - not events. So if I had 6 fields with names that all started with Percent, I could use the foreach command to do the same set of actions for each field Percent*.

You don't specify iteration in Splunk like in programming languages. In fact, you generally don't specify iteration at all.

I suspect that what you want is quite different. You have a set of events and you want to calculate a few field for the various subsets of events. Try something like this:

index="snow_incident"
| head 1 
| spath path=result{} output=x
| fields - _raw
| mvexpand x
| spath input=x
| eval Uptime = if(match(major_inc_temp,u_major_incident),"100","200")
| eval major_inc_temp = u_major_incident
| table major_inc_temp, Uptime, cmdb_ci

The next question is: what do you want to accomplish? Are you trying to find a maximum of something? More info would really be helpful.

0 Karma
Reply
Get Updates on the Splunk Community!

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...