- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to get foreach, eval, and subsearch to work to...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Basically, what I need to do is take some values (x, y, z) that are stored in the summary index, then for each x value, run a subsearch to find values for foo and bar, then create one record with x, y, z, foo, and bar.
Pseudo search:
index=summary earliest=01/01/2016:00:00:00 search_name= | foreach x [eval foo=[search earliest=01/01/2016:00:00:00 <> | fields foo | dedup foo | return $foo]] | foreach x [eval bar=[search earliest=01/01/2016:00:00:00 <> | fields bar | dedup bar | return $foo]]
Where I'm running into trouble is getting eval to accept a string value from return.
A foreach/eval/subsearch works when I return a number:
index=summary earliest=01/01/2016:00:00:00 search_name= | head 2 | foreach x [eval bar=[search earliest=01/01/2016:00:00:00 | head 1 | eval myvar=9 | return $myvar]]
But the same combo fails to populate bar if I return a string:
index=summary earliest=01/01/2016:00:00:00 search_name= | head 2 | foreach x [eval bar=[search earliest=01/01/2016:00:00:00 | head 1 | eval myvar="alskdfj" | return $myvar]]
If I take out the subsearch, eval will accept the string:
index=summary earliest=01/01/2016:00:00:00 search_name= | head 2 | foreach x [eval bar="alskdfj"]
Does anyone know why eval works in the first and third case, but not the second?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you considered the map command?
http://docs.splunk.com/Documentation/Splunk/6.0.6/SearchReference/Map
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you considered the map command?
http://docs.splunk.com/Documentation/Splunk/6.0.6/SearchReference/Map
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That got me closer. It didn't print out pretty, but since I'm collecting the data for the summary index, it doesn't matter. Thanks!
For posterity's sake:
index=summary earliest=01/01/2016:00:00:00 search_name=redacted | map search="search earliest=01/01/2016:00:00:00 $var_from_query$ |eval var_from_query=$var_from_query$ | stats values(var_from_query), values(var_from_map_search) by redacted | collect marker=\"search_name=testing\" "
This works on small batches, but for some reason only returns 10 rows, when the initial search has over 100,000. On to the next mystery.
Update: there's a maxsearches parameter for the map command, which is by default set to 10.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
