Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why did Splunk 9.0.1 "Fail to parse templatized search for field 'i'"?

yuanliu
SplunkTrust
SplunkTrust
‎09-26-2022 02:01 PM

I'm trying to use the Splunk 9 addition in foreach iteration with ITEM, but it always returns "Failed to parse templatized search for field 'i'" on my server, which runs 9.0.1.

 

 

 

| makeresults
| eval i = mvrange(0,3)
| foreach i
    [eval showme = <<ITEM>>]

 

 

 

 I previously used <<ITEM>> on a laptop Splunk 9 and it didn't have this error.

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎09-26-2022 09:33 PM

Read foreach again.  It turns out that <<ITEM>> iterator requires mode=multivalue (a new flag in Splunk 9).  A proper test construct should be

 

| makeresults
| eval i = mvrange(0,3)
| foreach i mode=multivalue
    [eval showme = mvappend(showme, "equals " . <<ITEM>>)]

 

 

i
showme
0
1
2
equals 0
equals 1
equals 2

Quote is irrelevant in simple field names.

View solution in original post

Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎09-26-2022 09:07 PM

Thank you, @bowesmana!  Funny enough, change the test to 

| makeresults
| eval i = mvrange(0,3)
| foreach i
    [eval showme = '<<ITEM>>']

(or its mvappend equivalent) does suppress the error, even though it doesn't assign any value to showme - which was my real problem.  In fact, my initial code - for the real problem, used single quotes.  No error but no value, hence the experimentation.  Regardless, the subject question is answered.

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎09-26-2022 05:55 PM

Not sure as I don't have Splunk 9, but that error typically occurs when you don't wrap the right hand side of eval in single quotes.

Just thinking that the value of <<ITEM>> in this case is a numeric 0 to 3, so normally if those numbers were fields, you'd have to wrap them in single quote, e.g.

| makeresults
| eval 0=1
| eval x='0'*2

No idea if that is relevant here though

Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎09-26-2022 09:33 PM

Read foreach again.  It turns out that <<ITEM>> iterator requires mode=multivalue (a new flag in Splunk 9).  A proper test construct should be

 

| makeresults
| eval i = mvrange(0,3)
| foreach i mode=multivalue
    [eval showme = mvappend(showme, "equals " . <<ITEM>>)]

 

 

i
showme
0
1
2
equals 0
equals 1
equals 2

Quote is irrelevant in simple field names.

Reply
Get Updates on the Splunk Community!

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...