Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

search in foreach subquery

dmitrymi
Observer
‎10-06-2021 12:45 PM

I have items visit log index with fields: category, item each event is a visit

In addition, I have an index with all items in the system in form category, items_count

I want to create a timechart of categories: <category> -> <visited items>/<all items> other time

What I did:

index="visited" | eval cat_item = category."/".item  | timechart dc(cat_item) by category  | foreach * [ search index="cat" category="<<FIELD? >>"  | eval <<FIELD>>= '<<FIELD>>'/items_count ]

But this does not work

timechart here creates a table with categories as columns and, each row contains the count of visited items 

Now the problem is how I get column name, and value in the subquery. In the examples, the <<FIELD>> is used for the column name and column value alike. 

Please help

 

 

 

 

 

Labels (2)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-06-2021 01:33 PM

This

index="visited" | eval cat_item = category."/".item  | timechart dc(cat_item)

does not give you a column for each cat_item as you seem to be suggesting - it gives you a count of distinct cat_items for each time period.

0 Karma
Reply

dmitrymi
Observer
‎10-06-2021 01:49 PM

Sorry my mistake this is actually:

index="visited" | eval cat_item = category."/".item  | timechart dc(cat_item) by category

but still not working. 

Without foreach the query returns number of items visited by category over time

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-06-2021 01:28 PM

Are you sure your problem is with fieldnames? I'd say it's with the subsearch itself.

As per the docs, foreach runs a streaming subsearch for each field. But your subsearch starts with the search command which is a generating one.

0 Karma
Reply

dmitrymi
Observer
‎10-06-2021 01:35 PM

I'm not sure, what is the right way to do it? How to select a value for each column using the column name,  and update cell value using this 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-07-2021 03:25 AM

If you really need a dynamicaly constructed search, try the map command. But I'd rather do a groupped stat (i.e. count by)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...