Splunk Search
Highlighted

foreach issue

Path Finder

Hi,

Can FOREACH commnad can read text value ? I am having issue to create new columns
foreach IM_* [eval TYPE='<<FIELD>>']

So if columns name are A, B ,C .... I would like to create eval expression eval TYPE= A eval TYPE = B and so on...which create automatically instead of creating them one by one.

Thank you

0 Karma
Highlighted

Re: foreach issue

Esteemed Legend

I cannot make sense of your question as it is written. It will REALLY help if you give an example dataset and also an example of desired final output.

0 Karma
Highlighted

Re: foreach issue

SplunkTrust
SplunkTrust

If you have fields called 'A', 'B', and 'C', then foreach IM_* ... will not match on them. Perhaps there is another way to accomplish your goal if you'll tell us what you want to do.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: foreach issue

Path Finder

Hi
Sorry for not clear explanation. I have just figured out myself

My point was to create two new fileds :
FLAG- is showing how many fileds are populated for some values (1 if it is some value)
TYPE - is creating a lot of new fileds with the name of the column

So i get two new flags fileds FLAG, TYPE

eval TYPE= "" | foreach IM_* [eval TYPE= TYPE.if(isnotnull('<<MATCHSTR>>'), "<<MATCHSTR>>#", "")] | makemv delim="#" TYPE | foreach IM_* [eval FLAG=if(isnull(<<MATCHSTR>>),0,1)]

View solution in original post

0 Karma
Highlighted

Re: foreach issue

SplunkTrust
SplunkTrust

Please accept your answer so others who have a similar problem in the future can find it.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: foreach issue

Esteemed Legend

I edited your answer to fix some markdown problems but I am not sure that I got it correct so please do double-check before clicking "Accept". I am pretty sure that your FLAG part is wrong because the assignment is overwriting itself every time so you are only getting the effect of the last field. Perhaps you meant this?

eval TYPE= "" | foreach IM_* [eval TYPE= TYPE.if(isnotnull('<<MATCHSTR>>'), "<<MATCHSTR>>#", "")] | makemv delim="#" TYPE | foreach IM_* [eval FLAG=FLAG + if(isnull(<<MATCHSTR>>),0,1)]
0 Karma
Highlighted

Re: foreach issue

Path Finder

it is happening like you said. Last value is shown in the FLAG. I was trying to add this part what you mentioned but unfortunately is not working.

However I have made this simpler. I have changed FLAG eval expression. Results are expected (Now it is showing me how many values are in the every column. )
Previous version also works but second FOREACH statement did not do anything- all job is done in status - count)

eval TYPE= "" | foreach IM* [eval TYPE= TYPE.if(isnotnull('<>'), "<>#", "")] | makemv delim="#" TYPE |
eval FLAG="FLAG" | stats count(FLAG) as COUNT by TYPE, REPORT
PERIOD

0 Karma