Splunk Search
Highlighted

foreach with subsearch

New Member

i search in splunk , seem that foreach cannot pass the '>FIELD<' into Subsearch , i search that have to use map command
i have below search , could someone help me change to map search?

index=test code IN (1,3)
| foreach 1 3
[ eval code<>= [search index=test code=<> | eval c= price|return $c ]]

Thanks

Tags (2)
0 Karma
Highlighted

Re: foreach with subsearch

Legend

@kennethyeung, I think you intend to run the map command not foreach. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map

If it does not work for you, please re-post your existing search with code button (101010) so that special characters do not escape.




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: foreach with subsearch

New Member

Hello Niketnilay,

I have some data like below

date, code, price
20171108,A,1
20171109,A,1.5
20171110,A,2
20171108,B,10
20171109,B,20
20171110,B,5

want to get result like below
date, codeA, codeB
20171108,,0,0
20171109,,50,200
20171110,,200,-50

my idea is
index=test code IN (1,3)
| foreach 1 3
[ eval code<<101010)> > = [search index=test code=<<101010)> > | tail 1 | eval c= price|return $c ]]
| foreach code* [eval pcode<>=close/close<>]
| ... chart sum(p_code) by date, code

I need the subsearch to search the oldest record and return the price as the base.

101010=FIELD

Thank your for your help

0 Karma
Highlighted

Re: foreach with subsearch

New Member

Thanks, i use join the solve my question, thank your for your help,
I am newibe in splunk, used to think as programmer.

index=test code IN (A,B)

| join code
[search index=test
| tail
[search |eval codecount = mvcount(split("A,B",","))
| return $code
count]
| table code, close
| rename close as baseclose]
| eval percent=(close-baseclose)/baseclose*100
| chart sum(percent) by date,code

0 Karma
Highlighted

Re: foreach with subsearch

Legend

@kennethyeung, your query and use case is still not clear. The code button is in Splunk Answers Text Box when you type in.

How you are calculating percent? Can you show example with data? What is the close field(it has not been mentioned in your prior posts)?

Most likely you do not need join. You can check out eventstats to calculate stats like sum(price) as Total by code and persist the same on events. Then you can calculate percent later.

Following is a run anywhere search that cooks up data as per your question. Commands till | table date code price, generate dummy data.

| makeresults
| eval data="20171108,A,1;20171109,A,1.5;20171110,A,2;20171108,B,10;20171109,B,20;20171110,B,5"
| makemv data delim=";"
| mvexpand data
| eval data=split(data,",")
| eval date=mvindex(data,0), code=mvindex(data,1), price=mvindex(data,2)
| table date code price
| eventstats sum(price) as Total by code
| chart sum(price)  as Price values(Total) as Total by date code
| foreach "Price: *" [ eval "Percent: <<MATCHSTR>>"= round(('<<FIELD>>'/'Total: <<MATCHSTR>>')*100,1)]
| table date Percent*

PS: I am not sure on your logic for Calculation of Percent, but hopefully this should guide you.




| eval message="Happy Splunking!!!"


0 Karma