Splunk Search

foreach with Error in 'eval' command

kennethyeung
New Member

below my se
index=test code IN (1,3)
| eval code1=1
| eval close_1=10
| eval close_2=5
| eval code2=3
| foreach code* [eval p_code_--FIELD--=close/close_$--FIELD--$]

i want to have p_code_1 =close/close_1 and p_code_2=close/close_2

I found out i cannot post << Field >> and use --FIELD-- to replaice

Tags (1)
0 Karma
1 Solution

niketnilay
Legend

@kennethyeung, please try the following, as per your requirement for fields p_code_1="close/close_1" and p_code_2="close/close_2", you should use <<MATCHSTR>> instead of <<FIELD>> value in foreach eval statement should be in double quotes:

| makeresults
| fields - _time
| eval code1=1 
| eval close_1=10
| eval close_2=5
| eval code2=3
| foreach code* [eval p_code_<<MATCHSTR>>="close/close_<<MATCHSTR>>"]
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketnilay
Legend

@kennethyeung, please try the following, as per your requirement for fields p_code_1="close/close_1" and p_code_2="close/close_2", you should use <<MATCHSTR>> instead of <<FIELD>> value in foreach eval statement should be in double quotes:

| makeresults
| fields - _time
| eval code1=1 
| eval close_1=10
| eval close_2=5
| eval code2=3
| foreach code* [eval p_code_<<MATCHSTR>>="close/close_<<MATCHSTR>>"]
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

kennethyeung
New Member

may i know that when use field and when use matchstr?

Thanks

0 Karma

niketnilay
Legend

@kennethyeung, the documentation has different examples to explain these points.

<<field>>: Replaces the entire field

<<MATCHSTR>>: This is a part of the field which you can identify by replacing asterisk (*) in foreach i.e.

| foreach code* implies <<MATCHSTR>> will find 1 and 2 from fields code1 and code2 respectively.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

kennethyeung
New Member

Thanks you your explaination 🙂

0 Karma

kennethyeung
New Member

@niketnilay want to ask, is it possible foreach lilke other script?
for example

in my previous search, i need to create eval code1=1, code2=3,
but actually the result is from In (1,3)

Thanks

0 Karma

niketnilay
Legend

Please replace the foreach command with the following '<<field>>' should replace the selected field value:

| foreach code* [eval p_code_<<MATCHSTR>>="close/close_".'<<field>>']
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

hi @kennethyeung,

can you please use 101010 (code sample) to pose search or code ??

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.