Splunk Search

foreach with subsearch

kennethyeung
New Member

i search in splunk , seem that foreach cannot pass the '>FIELD<' into Subsearch , i search that have to use map command
i have below search , could someone help me change to map search?

index=test code IN (1,3)
| foreach 1 3
[ eval code<>= [search index=test code=<> | eval c= price|return $c ]]

Thanks

Tags (2)
0 Karma

niketn
Legend

@kennethyeung, your query and use case is still not clear. The code button is in Splunk Answers Text Box when you type in.

How you are calculating percent? Can you show example with data? What is the close field(it has not been mentioned in your prior posts)?

Most likely you do not need join. You can check out eventstats to calculate stats like sum(price) as Total by code and persist the same on events. Then you can calculate percent later.

Following is a run anywhere search that cooks up data as per your question. Commands till | table date code price, generate dummy data.

| makeresults
| eval data="20171108,A,1;20171109,A,1.5;20171110,A,2;20171108,B,10;20171109,B,20;20171110,B,5"
| makemv data delim=";"
| mvexpand data
| eval data=split(data,",")
| eval date=mvindex(data,0), code=mvindex(data,1), price=mvindex(data,2)
| table date code price
| eventstats sum(price) as Total by code
| chart sum(price)  as Price values(Total) as Total by date code
| foreach "Price: *" [ eval "Percent: <<MATCHSTR>>"= round(('<<FIELD>>'/'Total: <<MATCHSTR>>')*100,1)]
| table date Percent*

PS: I am not sure on your logic for Calculation of Percent, but hopefully this should guide you.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

kennethyeung
New Member

Hello Niketnilay,

I have some data like below

date, code, price
20171108,A,1
20171109,A,1.5
20171110,A,2
20171108,B,10
20171109,B,20
20171110,B,5

want to get result like below
date, codeA, codeB
20171108,,0,0
20171109,,50,200
20171110,,200,-50

my idea is
index=test code IN (1,3)
| foreach 1 3
[ eval code<<101010)> > = [search index=test code=<<101010)> > | tail 1 | eval c= price|return $c ]]
| foreach code_* [eval p_code_<>=close/close_<>]
| ... chart sum(p_code) by date, code

I need the subsearch to search the oldest record and return the price as the base.

101010=FIELD

Thank your for your help

0 Karma

kennethyeung
New Member

Thanks, i use join the solve my question, thank your for your help,
I am newibe in splunk, used to think as programmer.

index=test code IN (A,B)

| join code
[search index=test
| tail
[search |eval code_count = mvcount(split("A,B",","))
| return $code_count]
| table code, close
| rename close as baseclose]
| eval percent=(close-baseclose)/baseclose*100
| chart sum(percent) by date,code

0 Karma

niketn
Legend

@kennethyeung, I think you intend to run the map command not foreach. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map

If it does not work for you, please re-post your existing search with code button (101010) so that special characters do not escape.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...