Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

foreach and subsearch

splunk_new1
Explorer
‎02-21-2021 07:49 PM

I am using a table of results 

 

 a |   b |  c |   search           | d |    e  
===============================================
xx    yy   zzz   index=firstindex    bb    ppp 
yyy  qqq  eeee   index=secondindex   rr    sss
ttt  zxc  asd    index=thirdindex    uy    mmm

 


based on each result,  I would like to perform a  foreach command to loop through each row of results based on the "search" field and perform a subsearch based on the VALUES in the "search" field,  from a coding's perspective it would be something like 

 

for each row: 

if field= search: 
      #use value in search
      [search value | return index to main search]

it should evaluate to something like this for each row 

if field=search:
      [search index=index1 | return index]

 

My desired output is: 

 

index  
==============  
firstindex
secondindex
thirdindex

 

 Is this possible? I have tried using 

foreach * [eval if <<FIELD>>=="search"[search <<FIELD>>] ","[search <<FIELD>>]]

but this does not seem to work. 

Tried looking around in splunk community forums but the queries do not seem to be the same as what I am intending to do

Labels (1)
Labels
Reply

scelikok
SplunkTrust
SplunkTrust
‎02-22-2021 12:52 AM

Hi @splunk_new1,

You can try using map command. Since it is not clear, your final desired output I cannot give you a sample. Please check the documentation below; 

https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchReference/Map 

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

splunk_new1
Explorer
‎02-22-2021 02:54 AM

Hi, 

Thanks for your reply. I have posted an update to my question with my desired output. 

I am aware of the map command, however as my field results have the word index= before the actual index name, I am unable to do a 

search
========================
index=firstindex   
index=secondindex
index=thirdindex


|map search="search index=$search$" 

as I believe ^ would  resolve to map search="search index=index=firstindex  

This would be an error. Is there anyway I can do something like 

|map search="search $search$| stats values(index)"

and have it return something like 

index
==========
firstindex
secondindex
thirdindex
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...