Splunk Search

foreach variable and search

raychamber
Explorer

I have variables that I am trying to use to get in a search with a foreach loop...

for example..  I have customers: a, b, c, d, e

 

---

|makeresults | eval customer=a,b,c,d,e |

foreach customer

  search index=main customer

Labels (1)
Tags (3)

richgalloway
SplunkTrust
SplunkTrust

What is your question? Are you saying that query doesn't work for you? If so, what results do you get and what results are you expecting?

Try this alternative query.

index=main [ |makeresults | eval customer=a,b,c,d,e | fields customer | format ]
---
If this reply helps you, Karma would be appreciated.

richgalloway
SplunkTrust
SplunkTrust

I used the same syntax as in the original question, assuming you knew how to make it work.  My mistake.

Try this, which builds on the suggestions made by others.

 

index=main [ |makeresults 
  | eval customer="a,b,c,d,e" 
  | eval customer=split(customer, ",") 
  | mvexpand customer 
  | fields customer 
  | format ]

 

---
If this reply helps you, Karma would be appreciated.
0 Karma

raychamber
Explorer

index=main [| makeresults
| eval customer = "a, b"
| eval customer = split(customer, ",")
|fields customer |format ]

 

this doesn't give results...

 

having the entry 

|eval customer = "a", "b", "c"

 

gives an error

Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression.

 

I assume it can't be formatted that way.

0 Karma

richgalloway
SplunkTrust
SplunkTrust
Yup. I got carried away with my quotation marks. Try the updated query.
---
If this reply helps you, Karma would be appreciated.
0 Karma

raychamber
Explorer

No luck. I still get no result found, but can run a search and find them individually.

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

at least this was working with _internal

index=_internal 
    [| makeresults 
    | eval component = "Metrics, cached, module, startup" 
    | eval component = trim(split(component,",")) 
    | format]
0 Karma

raychamber
Explorer

Right.. but this breaks it for some reason..

 

index=_internal
[| makeresults
| eval component = "thru, cached, module, startup"
| eval component = trim(split(component,","))
| format]

0 Karma

isoutamo
SplunkTrust
SplunkTrust

For me it's still working. Of course different amount of different events, but still it's working.

Just tested on Darwin with 8.0.5 version.

0 Karma

raychamber
Explorer

I get an error in the "eval" command for "customer=a,b,c"

0 Karma

isoutamo
SplunkTrust
SplunkTrust

You should try: 

...
| eval customer = "a, b, c, d" | eval customer = split(customer, ",")
...
0 Karma

raychamber
Explorer

Please forgive me.. I am green as green can be..

do you mean...

index=main 
[| makeresults
| eval customer = "OPT, ANT"
| eval customer = split(customer, ",")
| search customer]

 

i tried replacing the "search customer"  with just "format" neither worked.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

How about this:

 

index=main 
[| makeresults
 | eval customer = "a, b, c, d"
 | eval customer = split(customer, ",")
 | format]

 

raychamber
Explorer

This is working, but it isn't running the search.

index=main [| makeresults
| eval customer = "OPT, ANT"
| eval customer = split(customer, ",")
| format]

 

but the search isn't running. I can search for OPT alone 

--

index=main OPT

--

and get results, same for ANT, but this way.. i don't get anything back.

0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...