Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

search in foreach subquery

dmitrymi
Observer
‎10-06-2021 12:45 PM

I have items visit log index with fields: category, item each event is a visit

In addition, I have an index with all items in the system in form category, items_count

I want to create a timechart of categories: <category> -> <visited items>/<all items> other time

What I did:

index="visited" | eval cat_item = category."/".item  | timechart dc(cat_item) by category  | foreach * [ search index="cat" category="<<FIELD? >>"  | eval <<FIELD>>= '<<FIELD>>'/items_count ]

But this does not work

timechart here creates a table with categories as columns and, each row contains the count of visited items 

Now the problem is how I get column name, and value in the subquery. In the examples, the <<FIELD>> is used for the column name and column value alike. 

Please help

 

 

 

 

 

Labels (2)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-06-2021 01:33 PM

This

index="visited" | eval cat_item = category."/".item  | timechart dc(cat_item)

does not give you a column for each cat_item as you seem to be suggesting - it gives you a count of distinct cat_items for each time period.

0 Karma
Reply

dmitrymi
Observer
‎10-06-2021 01:49 PM

Sorry my mistake this is actually:

index="visited" | eval cat_item = category."/".item  | timechart dc(cat_item) by category

but still not working. 

Without foreach the query returns number of items visited by category over time

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-06-2021 01:28 PM

Are you sure your problem is with fieldnames? I'd say it's with the subsearch itself.

As per the docs, foreach runs a streaming subsearch for each field. But your subsearch starts with the search command which is a generating one.

0 Karma
Reply

dmitrymi
Observer
‎10-06-2021 01:35 PM

I'm not sure, what is the right way to do it? How to select a value for each column using the column name,  and update cell value using this 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-07-2021 03:25 AM

If you really need a dynamicaly constructed search, try the map command. But I'd rather do a groupped stat (i.e. count by)

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...