Splunk Search

foreach issue

akawacz
Path Finder

Hi,

Can FOREACH commnad can read text value ? I am having issue to create new columns
foreach IM_* [eval TYPE='<<FIELD>>']

So if columns name are A, B ,C .... I would like to create eval expression eval TYPE= A eval TYPE = B and so on...which create automatically instead of creating them one by one.

Thank you

0 Karma
1 Solution

akawacz
Path Finder

Hi
Sorry for not clear explanation. I have just figured out myself

My point was to create two new fileds :
FLAG- is showing how many fileds are populated for some values (1 if it is some value)
TYPE - is creating a lot of new fileds with the name of the column

So i get two new flags fileds FLAG, TYPE

eval TYPE= "" | foreach IM_* [eval TYPE= TYPE.if(isnotnull('<<MATCHSTR>>'), "<<MATCHSTR>>#", "")] | makemv delim="#" TYPE | foreach IM_* [eval FLAG=if(isnull(<<MATCHSTR>>),0,1)]

View solution in original post

0 Karma

akawacz
Path Finder

Hi
Sorry for not clear explanation. I have just figured out myself

My point was to create two new fileds :
FLAG- is showing how many fileds are populated for some values (1 if it is some value)
TYPE - is creating a lot of new fileds with the name of the column

So i get two new flags fileds FLAG, TYPE

eval TYPE= "" | foreach IM_* [eval TYPE= TYPE.if(isnotnull('<<MATCHSTR>>'), "<<MATCHSTR>>#", "")] | makemv delim="#" TYPE | foreach IM_* [eval FLAG=if(isnull(<<MATCHSTR>>),0,1)]
0 Karma

woodcock
Esteemed Legend

I edited your answer to fix some markdown problems but I am not sure that I got it correct so please do double-check before clicking "Accept". I am pretty sure that your FLAG part is wrong because the assignment is overwriting itself every time so you are only getting the effect of the last field. Perhaps you meant this?

eval TYPE= "" | foreach IM_* [eval TYPE= TYPE.if(isnotnull('<<MATCHSTR>>'), "<<MATCHSTR>>#", "")] | makemv delim="#" TYPE | foreach IM_* [eval FLAG=FLAG + if(isnull(<<MATCHSTR>>),0,1)]
0 Karma

akawacz
Path Finder

it is happening like you said. Last value is shown in the FLAG. I was trying to add this part what you mentioned but unfortunately is not working.

However I have made this simpler. I have changed FLAG eval expression. Results are expected (Now it is showing me how many values are in the every column. )
Previous version also works but second FOREACH statement did not do anything- all job is done in status - count)

eval TYPE= "" | foreach IM_* [eval TYPE= TYPE.if(isnotnull('<>'), "<>#", "")] | makemv delim="#" TYPE |
eval FLAG="FLAG" | stats count(FLAG) as COUNT by TYPE, REPORT_PERIOD

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please accept your answer so others who have a similar problem in the future can find it.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you have fields called 'A', 'B', and 'C', then foreach IM_* ... will not match on them. Perhaps there is another way to accomplish your goal if you'll tell us what you want to do.

---
If this reply helps you, Karma would be appreciated.
0 Karma

woodcock
Esteemed Legend

I cannot make sense of your question as it is written. It will REALLY help if you give an example dataset and also an example of desired final output.

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...