Splunk Search

foreach with subsearch

New Member

i search in splunk , seem that foreach cannot pass the '>FIELD<' into Subsearch , i search that have to use map command
i have below search , could someone help me change to map search?

index=test code IN (1,3)
| foreach 1 3
[ eval code<>= [search index=test code=<> | eval c= price|return $c ]]


Tags (2)
0 Karma


@kennethyeung, your query and use case is still not clear. The code button is in Splunk Answers Text Box when you type in.

How you are calculating percent? Can you show example with data? What is the close field(it has not been mentioned in your prior posts)?

Most likely you do not need join. You can check out eventstats to calculate stats like sum(price) as Total by code and persist the same on events. Then you can calculate percent later.

Following is a run anywhere search that cooks up data as per your question. Commands till | table date code price, generate dummy data.

| makeresults
| eval data="20171108,A,1;20171109,A,1.5;20171110,A,2;20171108,B,10;20171109,B,20;20171110,B,5"
| makemv data delim=";"
| mvexpand data
| eval data=split(data,",")
| eval date=mvindex(data,0), code=mvindex(data,1), price=mvindex(data,2)
| table date code price
| eventstats sum(price) as Total by code
| chart sum(price)  as Price values(Total) as Total by date code
| foreach "Price: *" [ eval "Percent: <<MATCHSTR>>"= round(('<<FIELD>>'/'Total: <<MATCHSTR>>')*100,1)]
| table date Percent*

PS: I am not sure on your logic for Calculation of Percent, but hopefully this should guide you.

| makeresults | eval message= "Happy Splunking!!!"
0 Karma

New Member

Hello Niketnilay,

I have some data like below

date, code, price

want to get result like below
date, codeA, codeB

my idea is
index=test code IN (1,3)
| foreach 1 3
[ eval code<<101010)> > = [search index=test code=<<101010)> > | tail 1 | eval c= price|return $c ]]
| foreach code_* [eval p_code_<>=close/close_<>]
| ... chart sum(p_code) by date, code

I need the subsearch to search the oldest record and return the price as the base.


Thank your for your help

0 Karma

New Member

Thanks, i use join the solve my question, thank your for your help,
I am newibe in splunk, used to think as programmer.

index=test code IN (A,B)

| join code
[search index=test
| tail
[search |eval code_count = mvcount(split("A,B",","))
| return $code_count]
| table code, close
| rename close as baseclose]
| eval percent=(close-baseclose)/baseclose*100
| chart sum(percent) by date,code

0 Karma


@kennethyeung, I think you intend to run the map command not foreach. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map

If it does not work for you, please re-post your existing search with code button (101010) so that special characters do not escape.

| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...