- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Using the foreach command, how do you reset th...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using the foreach command, how do you reset the value of a field based on another field?
How do you reset a value of a field (to 0) based on another field's 0 value (using foreach - as this needs to be done for multiple columns)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The general form is | foreach foo* [ eval <<FIELD>>=if(otherField=0, 0, <<FIELD>>) ].
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sahil237888 if you can post some example of current results you have and expected output after foreach, it would be easier for community to assist you better. Kindly mock/anonymize any sensitive information before posting.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
_time A B C TA TB TC
0:01 1 0 1 0 1 0
0:02 1 0 5 0 2 0
0:03 0 0 0 1 3 1
0:04 5 5 0 0 0 1
0:05 0 4 0 1 0 1
0:06 0 9 4 2 0 0
0:07 0 1 5 3 0 0
0:08 0 3 7 4 0 0
0:09 0 8 1 5 0 0
0:10 6 0 3 6 1 0
As in above in column A the value in 0:10 is 6, So the corresponding value of TA for the same time should become 0 (but it becomes 6)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can anyone or Splunk team help onto this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sahil237888,
On what basis, value of TA should be 0 ? Just because A is 6 and you want to substract that value? At 0:10 value of B is 3 , what shoud be the value of TB?
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The value in TA ,TB, or TC represent the counter which keeps on increasing if there is corresponding zero in A,B or C.
As in A column at 00.10 value is 6 so TA should be 0.Same case is with others B and C column.
(I have multiple number of column for ehich i will implement the logic)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can anyone help on this?
Detecting Remote Code Executions With the Splunk Threat Research Team
Enter the Splunk Community Dashboard Challenge for Your Chance to Win!
.conf24 | Session Scheduler is Live!!
