- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: foreach with Error in 'eval' command
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
below my se
index=test code IN (1,3)
| eval code1=1
| eval close_1=10
| eval close_2=5
| eval code2=3
| foreach code* [eval p_code_--FIELD--=close/close_$--FIELD--$]
i want to have p_code_1 =close/close_1 and p_code_2=close/close_2
I found out i cannot post << Field >> and use --FIELD-- to replaice
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@kennethyeung, please try the following, as per your requirement for fields p_code_1="close/close_1" and p_code_2="close/close_2", you should use <<MATCHSTR>> instead of <<FIELD>> value in foreach eval statement should be in double quotes:
| makeresults
| fields - _time
| eval code1=1
| eval close_1=10
| eval close_2=5
| eval code2=3
| foreach code* [eval p_code_<<MATCHSTR>>="close/close_<<MATCHSTR>>"]
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@kennethyeung, please try the following, as per your requirement for fields p_code_1="close/close_1" and p_code_2="close/close_2", you should use <<MATCHSTR>> instead of <<FIELD>> value in foreach eval statement should be in double quotes:
| makeresults
| fields - _time
| eval code1=1
| eval close_1=10
| eval close_2=5
| eval code2=3
| foreach code* [eval p_code_<<MATCHSTR>>="close/close_<<MATCHSTR>>"]
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
may i know that when use field and when use matchstr?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@kennethyeung, the documentation has different examples to explain these points.
<<field>>: Replaces the entire field
<<MATCHSTR>>: This is a part of the field which you can identify by replacing asterisk (*) in foreach i.e.
| foreach code* implies <<MATCHSTR>> will find 1 and 2 from fields code1 and code2 respectively.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks you your explaination 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@niketnilay want to ask, is it possible foreach lilke other script?
for example
in my previous search, i need to create eval code1=1, code2=3,
but actually the result is from In (1,3)
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please replace the foreach command with the following '<<field>>' should replace the selected field value:
| foreach code* [eval p_code_<<MATCHSTR>>="close/close_".'<<field>>']
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @kennethyeung,
can you please use 101010 (code sample) to pose search or code ??
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
