Solved: Re: How to use Foreach using multiple columns?

D2SI · ‎06-22-2018

Hello there,

I am having a hard time figuring out how to use / how is working foreach + eval.

I have something like :

Which can be obtained using this search:

| makeresults
| eval a="test"
| eval result_a_version_1=1
| eval result_a_version_2=3
| eval result_b_version_1=5
| eval result_b_version_2=2
| fields - _time
| table a result_a_version_1 result_b_version_1 result_a_version_2 result_b_version_2

And I am trying to use foreach/eval to get this :

Matching search :

| makeresults
| eval a="test"
| eval result_a_version_1=1
| eval result_a_version_2=3
| eval result_b_version_1=5
| eval result_b_version_2=2
| fields - _time
| eval tota_a_b_version_1=result_a_version_1+result_b_version_1
| eval tota_a_b_version_2=result_a_version_2+result_b_version_2
| table a result_a_version_1 result_b_version_1 tota_a_b_version_1 result_a_version_2 result_b_version_2 tota_a_b_version_2

As the version number can vary, I am guessing I have to use foreach somehow.

Thanks in advance for any tip!

kamlesh_vaghela · ‎06-22-2018

Hi @D2SI,

I'm able to total of similar version. Can you please try the following search. I'm still working on the field name.

| makeresults 
| eval test="test" 
| eval result_a_version_1=1 
| eval result_a_version_2=3 
| eval result_b_version_1=5 
| eval result_b_version_2=2
| eval result_a_version_3=50 
| eval result_b_version_3=20 
| fields - _time 
| table test result_a_version_1 result_b_version_1 result_a_version_2 result_b_version_2 result_a_version_3 result_b_version_3
| foreach result_*_version_* 
    [ eval total_of_version_<<MATCHSEG2>>=if(isnotnull(total_of_version_<<MATCHSEG2>>),total_of_version_<<MATCHSEG2>>+'<<FIELD>>','<<FIELD>>') ]

Thanks

View solution in original post

kamlesh_vaghela · ‎06-22-2018

Hi @D2SI,

I'm able to total of similar version. Can you please try the following search. I'm still working on the field name.

| makeresults 
| eval test="test" 
| eval result_a_version_1=1 
| eval result_a_version_2=3 
| eval result_b_version_1=5 
| eval result_b_version_2=2
| eval result_a_version_3=50 
| eval result_b_version_3=20 
| fields - _time 
| table test result_a_version_1 result_b_version_1 result_a_version_2 result_b_version_2 result_a_version_3 result_b_version_3
| foreach result_*_version_* 
    [ eval total_of_version_<<MATCHSEG2>>=if(isnotnull(total_of_version_<<MATCHSEG2>>),total_of_version_<<MATCHSEG2>>+'<<FIELD>>','<<FIELD>>') ]

Thanks

D2SI · ‎06-22-2018

Seems to be what I was after using MATCHSEG2, thanks a lot !

kamlesh_vaghela · ‎06-22-2018

Glad to help you.

Happy Splunking

How to use Foreach using multiple columns?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...