Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

foreach and subsearch

splunk_new1
Explorer
‎02-21-2021 07:49 PM

I am using a table of results 

 

 a |   b |  c |   search           | d |    e  
===============================================
xx    yy   zzz   index=firstindex    bb    ppp 
yyy  qqq  eeee   index=secondindex   rr    sss
ttt  zxc  asd    index=thirdindex    uy    mmm

 


based on each result,  I would like to perform a  foreach command to loop through each row of results based on the "search" field and perform a subsearch based on the VALUES in the "search" field,  from a coding's perspective it would be something like 

 

for each row: 

if field= search: 
      #use value in search
      [search value | return index to main search]

it should evaluate to something like this for each row 

if field=search:
      [search index=index1 | return index]

 

My desired output is: 

 

index  
==============  
firstindex
secondindex
thirdindex

 

 Is this possible? I have tried using 

foreach * [eval if <<FIELD>>=="search"[search <<FIELD>>] ","[search <<FIELD>>]]

but this does not seem to work. 

Tried looking around in splunk community forums but the queries do not seem to be the same as what I am intending to do

Labels (1)
Labels
Reply

scelikok
SplunkTrust
SplunkTrust
‎02-22-2021 12:52 AM

Hi @splunk_new1,

You can try using map command. Since it is not clear, your final desired output I cannot give you a sample. Please check the documentation below; 

https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchReference/Map 

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

splunk_new1
Explorer
‎02-22-2021 02:54 AM

Hi, 

Thanks for your reply. I have posted an update to my question with my desired output. 

I am aware of the map command, however as my field results have the word index= before the actual index name, I am unable to do a 

search
========================
index=firstindex   
index=secondindex
index=thirdindex


|map search="search index=$search$" 

as I believe ^ would  resolve to map search="search index=index=firstindex  

This would be an error. Is there anyway I can do something like 

|map search="search $search$| stats values(index)"

and have it return something like 

index
==========
firstindex
secondindex
thirdindex
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...