Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why did Splunk 9.0.1 "Fail to parse templatized search for field 'i'"?

yuanliu
SplunkTrust
SplunkTrust
‎09-26-2022 02:01 PM

I'm trying to use the Splunk 9 addition in foreach iteration with ITEM, but it always returns "Failed to parse templatized search for field 'i'" on my server, which runs 9.0.1.

 

 

 

| makeresults
| eval i = mvrange(0,3)
| foreach i
    [eval showme = <<ITEM>>]

 

 

 

 I previously used <<ITEM>> on a laptop Splunk 9 and it didn't have this error.

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎09-26-2022 09:33 PM

Read foreach again.  It turns out that <<ITEM>> iterator requires mode=multivalue (a new flag in Splunk 9).  A proper test construct should be

 

| makeresults
| eval i = mvrange(0,3)
| foreach i mode=multivalue
    [eval showme = mvappend(showme, "equals " . <<ITEM>>)]

 

 

i
showme
0
1
2
equals 0
equals 1
equals 2

Quote is irrelevant in simple field names.

View solution in original post

Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎09-26-2022 09:07 PM

Thank you, @bowesmana!  Funny enough, change the test to 

| makeresults
| eval i = mvrange(0,3)
| foreach i
    [eval showme = '<<ITEM>>']

(or its mvappend equivalent) does suppress the error, even though it doesn't assign any value to showme - which was my real problem.  In fact, my initial code - for the real problem, used single quotes.  No error but no value, hence the experimentation.  Regardless, the subject question is answered.

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎09-26-2022 05:55 PM

Not sure as I don't have Splunk 9, but that error typically occurs when you don't wrap the right hand side of eval in single quotes.

Just thinking that the value of <<ITEM>> in this case is a numeric 0 to 3, so normally if those numbers were fields, you'd have to wrap them in single quote, e.g.

| makeresults
| eval 0=1
| eval x='0'*2

No idea if that is relevant here though

Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎09-26-2022 09:33 PM

Read foreach again.  It turns out that <<ITEM>> iterator requires mode=multivalue (a new flag in Splunk 9).  A proper test construct should be

 

| makeresults
| eval i = mvrange(0,3)
| foreach i mode=multivalue
    [eval showme = mvappend(showme, "equals " . <<ITEM>>)]

 

 

i
showme
0
1
2
equals 0
equals 1
equals 2

Quote is irrelevant in simple field names.

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...