Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

foreach and subsearch values

splunk_new1
Explorer
‎02-22-2021 09:43 AM

I am using a table of results 

 a |   b |  c |   search           | d |    e  
===============================================
xx    yy   zzz   index=firstindex    bb    ppp 
yyy  qqq  eeee   index=secondindex   rr    sss
ttt  zxc  asd    index=thirdindex    uy    mmm


based on each result,  I would like to perform a  foreach command to loop through each row of results based on the "search" field and perform a subsearch based on the VALUES in the "search" field,  from a coding's perspective it would be something like 

for each row: 

if field= search: 
      #use value in search
      [search value | return index to main search]

it should evaluate to something like this for each row 

if field=search:
      [search index=index1 | return index]

My desired output is: 

index  
==============  
firstindex
secondindex
thirdindex

 

 Is this possible? I have tried using 

foreach * [eval if <<FIELD>>=="search"[search <<FIELD>>] ","[search <<FIELD>>]]

but this does not seem to work. 

I am aware of the map command, however as my field results have the word index= before the actual index name, I am unable to do a 

search
========================
index=firstindex   
index=secondindex
index=thirdindex


|map search="search index=$search$" 

as I believe ^ would  resolve to map search="search index=index=firstindex "

This would be an error. Is there anyway I can do something like 

|map search="search $search$| stats values(index)"

and have it return something like 

index
==========
firstindex
secondindex
thirdindex



Tried looking around in splunk community forums but they seem to point at map instead of foreach, I am really lost in how I can get around this issue and achieving my desired output, it would be great if someone with more splunk experience can assist me

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-22-2021 11:06 AM

The map command can be made to work, but it's overkill for this situation.  Just extract the index name from the search field using rex.

 

 

... | rex field=search "=(?<indexName>.*)" | ...

 

 

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

splunk_new1
Explorer
‎02-22-2021 06:45 PM

Ah, appreciate this, I have tried it but it does not seem to work.. 

As the search field values may contain more than just one index, it does not seem to be possible, it would be ideal if the entire search field values can be just passed into the search itself as this is the search query.


search

=============
index=index1

index=index2

index=index3
index=(index1 OR index2 OR index3) sourcetype=blahblah
index=`test`

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...