below my se
index=test code IN (1,3)
| eval code1=1
| eval close_1=10
| eval close_2=5
| eval code2=3
| foreach code* [eval p_code_--FIELD--=close/close_$--FIELD--$]
i want to have p_code_1 =close/close_1 and p_code_2=close/close_2
I found out i cannot post << Field >> and use --FIELD-- to replaice
@kennethyeung, please try the following, as per your requirement for fields p_code_1="close/close_1" and p_code_2="close/close_2"
, you should use <<MATCHSTR>>
instead of <<FIELD>>
value in foreach eval statement should be in double quotes:
| makeresults
| fields - _time
| eval code1=1
| eval close_1=10
| eval close_2=5
| eval code2=3
| foreach code* [eval p_code_<<MATCHSTR>>="close/close_<<MATCHSTR>>"]
@kennethyeung, please try the following, as per your requirement for fields p_code_1="close/close_1" and p_code_2="close/close_2"
, you should use <<MATCHSTR>>
instead of <<FIELD>>
value in foreach eval statement should be in double quotes:
| makeresults
| fields - _time
| eval code1=1
| eval close_1=10
| eval close_2=5
| eval code2=3
| foreach code* [eval p_code_<<MATCHSTR>>="close/close_<<MATCHSTR>>"]
may i know that when use field and when use matchstr?
Thanks
@kennethyeung, the documentation has different examples to explain these points.
<<field>>
: Replaces the entire field
<<MATCHSTR>>
: This is a part of the field which you can identify by replacing asterisk (*)
in foreach i.e.
| foreach code*
implies <<MATCHSTR>>
will find 1
and 2
from fields code1
and code2
respectively.
Thanks you your explaination 🙂
@niketnilay want to ask, is it possible foreach lilke other script?
for example
in my previous search, i need to create eval code1=1, code2=3,
but actually the result is from In (1,3)
Thanks
Please replace the foreach command with the following '<<field>>'
should replace the selected field value:
| foreach code* [eval p_code_<<MATCHSTR>>="close/close_".'<<field>>']
hi @kennethyeung,
can you please use 101010
(code sample) to pose search or code ??