Splunk Search

foreach variable and search

Explorer

I have variables that I am trying to use to get in a search with a foreach loop...

for example..  I have customers: a, b, c, d, e

 

---

|makeresults | eval customer=a,b,c,d,e |

foreach customer

  search index=main customer

Labels (1)
Tags (3)
0 Karma

SplunkTrust
SplunkTrust

What is your question? Are you saying that query doesn't work for you? If so, what results do you get and what results are you expecting?

Try this alternative query.

index=main [ |makeresults | eval customer=a,b,c,d,e | fields customer | format ]
---
If this reply helps you, an upvote would be appreciated.

SplunkTrust
SplunkTrust

I used the same syntax as in the original question, assuming you knew how to make it work.  My mistake.

Try this, which builds on the suggestions made by others.

 

index=main [ |makeresults 
  | eval customer="a,b,c,d,e" 
  | eval customer=split(customer, ",") 
  | mvexpand customer 
  | fields customer 
  | format ]

 

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Explorer

index=main [| makeresults
| eval customer = "a, b"
| eval customer = split(customer, ",")
|fields customer |format ]

 

this doesn't give results...

 

having the entry 

|eval customer = "a", "b", "c"

 

gives an error

Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression.

 

I assume it can't be formatted that way.

0 Karma

SplunkTrust
SplunkTrust
Yup. I got carried away with my quotation marks. Try the updated query.
---
If this reply helps you, an upvote would be appreciated.
0 Karma

Explorer

No luck. I still get no result found, but can run a search and find them individually.

 

0 Karma

Champion

Hi

at least this was working with _internal

index=_internal 
    [| makeresults 
    | eval component = "Metrics, cached, module, startup" 
    | eval component = trim(split(component,",")) 
    | format]
0 Karma

Explorer

Right.. but this breaks it for some reason..

 

index=_internal
[| makeresults
| eval component = "thru, cached, module, startup"
| eval component = trim(split(component,","))
| format]

0 Karma

Champion

For me it's still working. Of course different amount of different events, but still it's working.

Just tested on Darwin with 8.0.5 version.

0 Karma

Explorer

I get an error in the "eval" command for "customer=a,b,c"

0 Karma

Champion

You should try: 

...
| eval customer = "a, b, c, d" | eval customer = split(customer, ",")
...
0 Karma

Explorer

Please forgive me.. I am green as green can be..

do you mean...

index=main 
[| makeresults
| eval customer = "OPT, ANT"
| eval customer = split(customer, ",")
| search customer]

 

i tried replacing the "search customer"  with just "format" neither worked.

0 Karma

Champion

Hi

How about this:

 

index=main 
[| makeresults
 | eval customer = "a, b, c, d"
 | eval customer = split(customer, ",")
 | format]

 

Explorer

This is working, but it isn't running the search.

index=main [| makeresults
| eval customer = "OPT, ANT"
| eval customer = split(customer, ",")
| format]

 

but the search isn't running. I can search for OPT alone 

--

index=main OPT

--

and get results, same for ANT, but this way.. i don't get anything back.

0 Karma