Splunk Search

How to get foreach, eval, and subsearch to work together in my search?

mcarney
Explorer

Basically, what I need to do is take some values (x, y, z) that are stored in the summary index, then for each x value, run a subsearch to find values for foo and bar, then create one record with x, y, z, foo, and bar.

Pseudo search:

index=summary earliest=01/01/2016:00:00:00 search_name= | foreach x [eval foo=[search earliest=01/01/2016:00:00:00 <> | fields foo | dedup foo | return $foo]] | foreach x [eval bar=[search earliest=01/01/2016:00:00:00 <> | fields bar | dedup bar | return $foo]]

Where I'm running into trouble is getting eval to accept a string value from return.

A foreach/eval/subsearch works when I return a number:

index=summary earliest=01/01/2016:00:00:00 search_name= | head 2 | foreach x [eval bar=[search earliest=01/01/2016:00:00:00 | head 1 | eval myvar=9 | return $myvar]]

But the same combo fails to populate bar if I return a string:

index=summary earliest=01/01/2016:00:00:00 search_name= | head 2 | foreach x [eval bar=[search earliest=01/01/2016:00:00:00 | head 1 | eval myvar="alskdfj" | return $myvar]]

If I take out the subsearch, eval will accept the string:

index=summary earliest=01/01/2016:00:00:00 search_name= | head 2 | foreach x [eval bar="alskdfj"]

Does anyone know why eval works in the first and third case, but not the second?

0 Karma
1 Solution

sundareshr
Legend

mcarney
Explorer

That got me closer. It didn't print out pretty, but since I'm collecting the data for the summary index, it doesn't matter. Thanks!

For posterity's sake:

index=summary earliest=01/01/2016:00:00:00 search_name=redacted | map search="search earliest=01/01/2016:00:00:00 $var_from_query$ |eval var_from_query=$var_from_query$ | stats values(var_from_query), values(var_from_map_search) by redacted | collect marker=\"search_name=testing\" "

This works on small batches, but for some reason only returns 10 rows, when the initial search has over 100,000. On to the next mystery.

Update: there's a maxsearches parameter for the map command, which is by default set to 10.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...