Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why did Splunk 9.0.1 "Fail to parse templatized search for field 'i'"?

yuanliu
SplunkTrust
SplunkTrust
‎09-26-2022 02:01 PM

I'm trying to use the Splunk 9 addition in foreach iteration with ITEM, but it always returns "Failed to parse templatized search for field 'i'" on my server, which runs 9.0.1.

 

 

 

| makeresults
| eval i = mvrange(0,3)
| foreach i
    [eval showme = <<ITEM>>]

 

 

 

 I previously used <<ITEM>> on a laptop Splunk 9 and it didn't have this error.

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎09-26-2022 09:33 PM

Read foreach again.  It turns out that <<ITEM>> iterator requires mode=multivalue (a new flag in Splunk 9).  A proper test construct should be

 

| makeresults
| eval i = mvrange(0,3)
| foreach i mode=multivalue
    [eval showme = mvappend(showme, "equals " . <<ITEM>>)]

 

 

i
showme
0
1
2
equals 0
equals 1
equals 2

Quote is irrelevant in simple field names.

View solution in original post

Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎09-26-2022 09:07 PM

Thank you, @bowesmana!  Funny enough, change the test to 

| makeresults
| eval i = mvrange(0,3)
| foreach i
    [eval showme = '<<ITEM>>']

(or its mvappend equivalent) does suppress the error, even though it doesn't assign any value to showme - which was my real problem.  In fact, my initial code - for the real problem, used single quotes.  No error but no value, hence the experimentation.  Regardless, the subject question is answered.

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎09-26-2022 05:55 PM

Not sure as I don't have Splunk 9, but that error typically occurs when you don't wrap the right hand side of eval in single quotes.

Just thinking that the value of <<ITEM>> in this case is a numeric 0 to 3, so normally if those numbers were fields, you'd have to wrap them in single quote, e.g.

| makeresults
| eval 0=1
| eval x='0'*2

No idea if that is relevant here though

Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎09-26-2022 09:33 PM

Read foreach again.  It turns out that <<ITEM>> iterator requires mode=multivalue (a new flag in Splunk 9).  A proper test construct should be

 

| makeresults
| eval i = mvrange(0,3)
| foreach i mode=multivalue
    [eval showme = mvappend(showme, "equals " . <<ITEM>>)]

 

 

i
showme
0
1
2
equals 0
equals 1
equals 2

Quote is irrelevant in simple field names.

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...