Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the best way to go about using multiple eval commands, subsearches, and foreach commands?

jackstephenson9
New Member
‎11-05-2018 05:37 PM

I'm trying to sort smartsheets by certain combinations of row/column values. If I remove one of the 'foreach' blocks, the search works, outputting a new field. With both, however, the search returns 0 results. I'm wondering if there's a better way to do this.

Also, the reason I can't just eval them separately is that one of the fields (a column) "Final" appears both in "Project scheduling" row events and "Project closed" row events

index=main sourcetype=smartsheet 
| rename metadata.smartsheet_name as sheetname 
| dedup metadata.id 
| foreach sheetname 
         [ search "Task Name"="Project scheduling" 
         | eval nowtime=strftime(now(), "%Y-%m-%d") 
         | eval nowtime=strptime(nowtime, "%Y-%m-%d") 
         | eval scheduledtime=strptime(Finish,"%Y-%m-%d") 
         | eval scheduledOk=if(scheduledtime<=nowtime, "true", "false")] 
| foreach sheetname
         [ search "Task Name"="Project closed" 
         | eval nowtime=strftime(now(), "%Y-%m-%d") 
         | eval nowtime=strptime(nowtime, "%Y-%m-%d") 
         | eval finishtime=strptime(Finish,"%Y-%m-%d") 
         | eval finishedOk=if(finishtime>nowtime, "true", "false")]
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
SplunkTrust
SplunkTrust
‎11-05-2018 06:30 PM

@jackstephenson96,

Assuming that the Status condition on the task depends on the Task Name and rest of the fields are same for both, give this a try and see if its matching with your requirement

index=main sourcetype=smartsheet 
| rename metadata.smartsheet_name as sheetname 
| dedup metadata.id
| eval nowtime=strftime(now(), "%Y-%m-%d") 
| eval nowtime=strptime(nowtime, "%Y-%m-%d") 
| eval Status=case("Task Name"=="Project scheduling" ,if(strptime(Finish,"%Y-%m-%d")<=nowtime,"true","false")
                   ,"Task Name"=="Project closed" ,if(strptime(Finish,"%Y-%m-%d")>nowtime,"true","false"))

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
SplunkTrust
SplunkTrust
‎11-05-2018 06:30 PM

@jackstephenson96,

Assuming that the Status condition on the task depends on the Task Name and rest of the fields are same for both, give this a try and see if its matching with your requirement

index=main sourcetype=smartsheet 
| rename metadata.smartsheet_name as sheetname 
| dedup metadata.id
| eval nowtime=strftime(now(), "%Y-%m-%d") 
| eval nowtime=strptime(nowtime, "%Y-%m-%d") 
| eval Status=case("Task Name"=="Project scheduling" ,if(strptime(Finish,"%Y-%m-%d")<=nowtime,"true","false")
                   ,"Task Name"=="Project closed" ,if(strptime(Finish,"%Y-%m-%d")>nowtime,"true","false"))

View solution in original post

0 Karma
Reply
Solved! Jump to solution

jackstephenson9
New Member
‎11-06-2018 02:27 PM

Renjith, you are a genius. Thank you

0 Karma
Reply
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!

Get Updates on the Splunk Community!