Splunk Search

foreach with subsearch

New Member

i search in splunk , seem that foreach cannot pass the '>FIELD<' into Subsearch , i search that have to use map command
i have below search , could someone help me change to map search?

index=test code IN (1,3)
| foreach 1 3
[ eval code<>= [search index=test code=<> | eval c= price|return $c ]]


Tags (2)
0 Karma

@kennethyeung, your query and use case is still not clear. The code button is in Splunk Answers Text Box when you type in.

How you are calculating percent? Can you show example with data? What is the close field(it has not been mentioned in your prior posts)?

Most likely you do not need join. You can check out eventstats to calculate stats like sum(price) as Total by code and persist the same on events. Then you can calculate percent later.

Following is a run anywhere search that cooks up data as per your question. Commands till | table date code price, generate dummy data.

| makeresults
| eval data="20171108,A,1;20171109,A,1.5;20171110,A,2;20171108,B,10;20171109,B,20;20171110,B,5"
| makemv data delim=";"
| mvexpand data
| eval data=split(data,",")
| eval date=mvindex(data,0), code=mvindex(data,1), price=mvindex(data,2)
| table date code price
| eventstats sum(price) as Total by code
| chart sum(price)  as Price values(Total) as Total by date code
| foreach "Price: *" [ eval "Percent: <<MATCHSTR>>"= round(('<<FIELD>>'/'Total: <<MATCHSTR>>')*100,1)]
| table date Percent*

PS: I am not sure on your logic for Calculation of Percent, but hopefully this should guide you.

| makeresults | eval message= "Happy Splunking!!!"
0 Karma

New Member

Hello Niketnilay,

I have some data like below

date, code, price

want to get result like below
date, codeA, codeB

my idea is
index=test code IN (1,3)
| foreach 1 3
[ eval code<<101010)> > = [search index=test code=<<101010)> > | tail 1 | eval c= price|return $c ]]
| foreach code_* [eval p_code_<>=close/close_<>]
| ... chart sum(p_code) by date, code

I need the subsearch to search the oldest record and return the price as the base.


Thank your for your help

0 Karma

New Member

Thanks, i use join the solve my question, thank your for your help,
I am newibe in splunk, used to think as programmer.

index=test code IN (A,B)

| join code
[search index=test
| tail
[search |eval code_count = mvcount(split("A,B",","))
| return $code_count]
| table code, close
| rename close as baseclose]
| eval percent=(close-baseclose)/baseclose*100
| chart sum(percent) by date,code

0 Karma

@kennethyeung, I think you intend to run the map command not foreach. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map

If it does not work for you, please re-post your existing search with code button (101010) so that special characters do not escape.

| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...