Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can you explain the syntax of the foreach command beyond what's in the Docs?

mahbs
Path Finder
‎11-30-2017 08:38 AM

Hi,

I'm trying to understand the syntax of foreach, I've had a look at the documentation, but it's just too difficult for me to understand and the examples aren't great.

I would really appreciate if someone can explain to me how to use the foreach command as well as the syntax.

Moreover, the reason why I want to use a foreach is because I have a list of data that I need to loop through pull out data for a particular field.

Labels (1)
Labels
0 Karma
Reply

woodcock
Esteemed Legend
‎11-30-2017 02:50 PM

There are 2 "looping" commands. The map command loops over rows (events) whereas the foreach command loops over columns (fields). It really is that simple.

0 Karma
Reply

landen99
Motivator
‎06-02-2020 03:23 PM

It's a bit more complicated than that.

map creates new searches from the results of each row that entirely replace the results of the host search.

foreach allows you to use segments from each column name to construct an eval that adds to or changes the host search results.

0 Karma
Reply

somesoni2
Revered Legend
‎11-30-2017 09:27 AM

Foreach can be read as "foreach specified fields..perform this eval..". It performs an eval expression on all matching fields and does it for all the rows.

...| foreach ...column list... [ eval-expression using template representation]

Map can be read as "foreach rows in my result,..run this search". It initiates a search for each row of the search result that comes before map command. It would be better if you can provide your detailed requirement, with current and expected output.

0 Karma
Reply

niketn
Legend
‎11-30-2017 09:17 AM

@mahbs, foreach is like a template for eval and its use case is where you might have the need to perform several similar evals. It is quite powerful command with plenty of use cases, if used aptly. So, it would be be better if you provide some insight to what you are trying to achieve, so that we provide example/explanation for the same.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎11-30-2017 08:47 AM

You should look into the map command which does a foreach

index=xxx ... 
| map search="search sourcetype="xxxx" val=$val$|stats values(sessionid) by val"

Map is like a foreach iterator. It will take each "result" of a previous search, and perform the map search that many times with the specified map search.

0 Karma
Reply

mahbs
Path Finder
‎11-30-2017 08:58 AM

Ok, I need the iterator aspect of the map. Is map like a subsearch? Because that's not what I need

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎11-30-2017 09:23 AM

Map will iterate based on each condition, just like a foreach loop will do. The iterator aspect will iterate over each value until there is no values left.

0 Karma
Reply

jplumsdaine22
Influencer
‎11-30-2017 08:44 AM

The synatx is complex - what are you actually trying to do? Can you provide some event samples?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...