Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

foreach and subsearch

splunk_new1
Explorer
‎02-21-2021 07:49 PM

I am using a table of results 

 

 a |   b |  c |   search           | d |    e  
===============================================
xx    yy   zzz   index=firstindex    bb    ppp 
yyy  qqq  eeee   index=secondindex   rr    sss
ttt  zxc  asd    index=thirdindex    uy    mmm

 


based on each result,  I would like to perform a  foreach command to loop through each row of results based on the "search" field and perform a subsearch based on the VALUES in the "search" field,  from a coding's perspective it would be something like 

 

for each row: 

if field= search: 
      #use value in search
      [search value | return index to main search]

it should evaluate to something like this for each row 

if field=search:
      [search index=index1 | return index]

 

My desired output is: 

 

index  
==============  
firstindex
secondindex
thirdindex

 

 Is this possible? I have tried using 

foreach * [eval if <<FIELD>>=="search"[search <<FIELD>>] ","[search <<FIELD>>]]

but this does not seem to work. 

Tried looking around in splunk community forums but the queries do not seem to be the same as what I am intending to do

Labels (1)
Labels
Reply

scelikok
SplunkTrust
SplunkTrust
‎02-22-2021 12:52 AM

Hi @splunk_new1,

You can try using map command. Since it is not clear, your final desired output I cannot give you a sample. Please check the documentation below; 

https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchReference/Map 

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

splunk_new1
Explorer
‎02-22-2021 02:54 AM

Hi, 

Thanks for your reply. I have posted an update to my question with my desired output. 

I am aware of the map command, however as my field results have the word index= before the actual index name, I am unable to do a 

search
========================
index=firstindex   
index=secondindex
index=thirdindex


|map search="search index=$search$" 

as I believe ^ would  resolve to map search="search index=index=firstindex  

This would be an error. Is there anyway I can do something like 

|map search="search $search$| stats values(index)"

and have it return something like 

index
==========
firstindex
secondindex
thirdindex
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...