Splunk Search

Why is multi-value foreach command not returning expected values from template <<ITEM>>?

Splunk_Hatched
Engager

Hi,

I have a multi-value field numbers with each of its values in the format of two numbers separated by a comma (for example 52,29).  For all of these values, I want to have an if statement that does a comparison on both the first number and second number and then return either "true" or "false". 

Currently I have been using the foreach loop with the multi-value mode. However, when debugging why I am receiving the error below, I found that the default template value <<ITEM>>  appears to always return null instead of the values of numbers (isnotnull('<<ITEM>>') returns False).

Shown below is how I am trying to extract the leftmost number using regex with replace and then check if it is greater than 5. Is there something wrong with this search?

| foreach mode=multivalue numbers
    [| eval results=if(tonumber(replace('<<ITEM>>'),  ",\d+",  "")) > 5, "true", "false")]

 

This is the error I get for the search above:

Splunk_Hatched_0-1658966271956.png

 

Thanks in advance.

Labels (1)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

The screenshot of numbers shows that your values can be negative, which is represented by "-", not matching "\d+". (It really helps to illustrate data in text, especially as yours are already anonymized.)  The following should work on that data set

 

| foreach mode=multivalue numbers
    [eval results=mvappend(results, if(tonumber(replace('<<ITEM>>', ",[-\d]+", "")) > 5 AND tonumber(replace('<<ITEM>>', "^[-\d]+,", "")) > 5, "true", "false"))]

 

 Using  the  sample data shown in that screenshot, the output is

numbers
results
-1,-1
0,25535
22,3389
false
false
true

Is this what you expect?  Again, it is perhaps easier to verbalize your criteria, assisted by code or pseudo-code. I interpret  your intention as follows: given multivalue pairs of comma-delimited integers, calculate multivalue results; corresponding to each pair, return true if both numbers are greater than 5, false otherwise. (I kind of made this wordier than necessary, but that's the idea.)

I have some suspicion, though, that a multivalue field of results may not be what you wanted, as it may complicate subsequent processing.

View solution in original post

0 Karma

yuanliu
SplunkTrust
SplunkTrust

First, there's a syntax error: you closed replace() function at '<<ITEM>>', instead of after "".

But a bigger problem is the unclear requirement.   For example, if given two values in numbers, if one of them is greater than 5 but another is less than 5, what should result be?  The solution will depend on such details.

The following will give you a multivalued results, which may not be what you wanted.

| foreach mode=multivalue numbers
    [eval results=mvappend(results, if(tonumber(replace('<<ITEM>>',  ",\d+",  "")) > 5, "true", "false"))]

Suppose numbers is (8, 2), results will be ('true', 'false'); if numbers is (2, 8), results is ('false', 'true')

0 Karma

Splunk_Hatched
Engager

Hello yuanliu,

Thank you for pointing out the extra parentheses and lack of clarity in my search. Perhaps this adjusted search would help clarify further what I originally intended:

| foreach mode=multivalue numbers
    [eval results=mvappend(results, if(tonumber(replace('<<ITEM>>', ",\d+", "")) > 5 AND tonumber(replace('<<ITEM>>', "^\d+,", "")) > 5, "true", "false"))]

 
While this adjusted search is now closer to what I intended, the results field only creates two outputs when I wanted to create three (one for each of the three values in the numbers field). The foreach command appears not to have reached the third value.

Splunk_Hatched_0-1659028972380.png

Splunk_Hatched_1-1659029019175.png

 

Further testing to check what '<<ITEM>>' actually returns appears to give a Null value (see the screenshot of testParseNumbers shown below).

| eval testParseNumbers=""
| foreach mode=multivalue numbers
    [eval results=mvappend(results, if(tonumber(replace('<<ITEM>>', ",\d+", "")) > 5 AND tonumber(replace('<<ITEM>>', "^\d+,", "")) > 5, "true", "false")), testParseNumbers=testParseNumbers.tostring('<<ITEM>>')]

 Splunk_Hatched_2-1659030125605.png


I would appreciate suggestions on how to fix this. Thank you.

Tags (1)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

The screenshot of numbers shows that your values can be negative, which is represented by "-", not matching "\d+". (It really helps to illustrate data in text, especially as yours are already anonymized.)  The following should work on that data set

 

| foreach mode=multivalue numbers
    [eval results=mvappend(results, if(tonumber(replace('<<ITEM>>', ",[-\d]+", "")) > 5 AND tonumber(replace('<<ITEM>>', "^[-\d]+,", "")) > 5, "true", "false"))]

 

 Using  the  sample data shown in that screenshot, the output is

numbers
results
-1,-1
0,25535
22,3389
false
false
true

Is this what you expect?  Again, it is perhaps easier to verbalize your criteria, assisted by code or pseudo-code. I interpret  your intention as follows: given multivalue pairs of comma-delimited integers, calculate multivalue results; corresponding to each pair, return true if both numbers are greater than 5, false otherwise. (I kind of made this wordier than necessary, but that's the idea.)

I have some suspicion, though, that a multivalue field of results may not be what you wanted, as it may complicate subsequent processing.

0 Karma

Splunk_Hatched
Engager

Hi yuanliu,

Thank you for pointing out my mistakes in the regex and lack of clarity in my desired criteria. Your description of my intended output for results are correct.
You are also correct that a multi-value field is not optimal for my desired results field. Thinking this over, I resolved the issue by using mvexpand on numbers before applying the Boolean logic (i.e. expression>5).

I greatly appreciate your help to troubleshoot through both my SPL expressions and the implementation of the search.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

You have too many closing brackets - remove the one after ITEM

('<<ITEM>>')

0 Karma

Splunk_Hatched
Engager

Thank you for clearly pointing that out. I would appreciate further feedback about my query in my reply to yuanliu

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...