Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

foreach and subsearch values

splunk_new1
Explorer
‎02-22-2021 09:43 AM

I am using a table of results 

 a |   b |  c |   search           | d |    e  
===============================================
xx    yy   zzz   index=firstindex    bb    ppp 
yyy  qqq  eeee   index=secondindex   rr    sss
ttt  zxc  asd    index=thirdindex    uy    mmm


based on each result,  I would like to perform a  foreach command to loop through each row of results based on the "search" field and perform a subsearch based on the VALUES in the "search" field,  from a coding's perspective it would be something like 

for each row: 

if field= search: 
      #use value in search
      [search value | return index to main search]

it should evaluate to something like this for each row 

if field=search:
      [search index=index1 | return index]

My desired output is: 

index  
==============  
firstindex
secondindex
thirdindex

 

 Is this possible? I have tried using 

foreach * [eval if <<FIELD>>=="search"[search <<FIELD>>] ","[search <<FIELD>>]]

but this does not seem to work. 

I am aware of the map command, however as my field results have the word index= before the actual index name, I am unable to do a 

search
========================
index=firstindex   
index=secondindex
index=thirdindex


|map search="search index=$search$" 

as I believe ^ would  resolve to map search="search index=index=firstindex "

This would be an error. Is there anyway I can do something like 

|map search="search $search$| stats values(index)"

and have it return something like 

index
==========
firstindex
secondindex
thirdindex



Tried looking around in splunk community forums but they seem to point at map instead of foreach, I am really lost in how I can get around this issue and achieving my desired output, it would be great if someone with more splunk experience can assist me

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-22-2021 11:06 AM

The map command can be made to work, but it's overkill for this situation.  Just extract the index name from the search field using rex.

 

 

... | rex field=search "=(?<indexName>.*)" | ...

 

 

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

splunk_new1
Explorer
‎02-22-2021 06:45 PM

Ah, appreciate this, I have tried it but it does not seem to work.. 

As the search field values may contain more than just one index, it does not seem to be possible, it would be ideal if the entire search field values can be just passed into the search itself as this is the search query.


search

=============
index=index1

index=index2

index=index3
index=(index1 OR index2 OR index3) sourcetype=blahblah
index=`test`

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...