Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why did Splunk 9.0.1 "Fail to parse templatized search for field 'i'"?

yuanliu
SplunkTrust
SplunkTrust
‎09-26-2022 02:01 PM

I'm trying to use the Splunk 9 addition in foreach iteration with ITEM, but it always returns "Failed to parse templatized search for field 'i'" on my server, which runs 9.0.1.

 

 

 

| makeresults
| eval i = mvrange(0,3)
| foreach i
    [eval showme = <<ITEM>>]

 

 

 

 I previously used <<ITEM>> on a laptop Splunk 9 and it didn't have this error.

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎09-26-2022 09:33 PM

Read foreach again.  It turns out that <<ITEM>> iterator requires mode=multivalue (a new flag in Splunk 9).  A proper test construct should be

 

| makeresults
| eval i = mvrange(0,3)
| foreach i mode=multivalue
    [eval showme = mvappend(showme, "equals " . <<ITEM>>)]

 

 

i
showme
0
1
2
equals 0
equals 1
equals 2

Quote is irrelevant in simple field names.

View solution in original post

Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎09-26-2022 09:07 PM

Thank you, @bowesmana!  Funny enough, change the test to 

| makeresults
| eval i = mvrange(0,3)
| foreach i
    [eval showme = '<<ITEM>>']

(or its mvappend equivalent) does suppress the error, even though it doesn't assign any value to showme - which was my real problem.  In fact, my initial code - for the real problem, used single quotes.  No error but no value, hence the experimentation.  Regardless, the subject question is answered.

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎09-26-2022 05:55 PM

Not sure as I don't have Splunk 9, but that error typically occurs when you don't wrap the right hand side of eval in single quotes.

Just thinking that the value of <<ITEM>> in this case is a numeric 0 to 3, so normally if those numbers were fields, you'd have to wrap them in single quote, e.g.

| makeresults
| eval 0=1
| eval x='0'*2

No idea if that is relevant here though

Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎09-26-2022 09:33 PM

Read foreach again.  It turns out that <<ITEM>> iterator requires mode=multivalue (a new flag in Splunk 9).  A proper test construct should be

 

| makeresults
| eval i = mvrange(0,3)
| foreach i mode=multivalue
    [eval showme = mvappend(showme, "equals " . <<ITEM>>)]

 

 

i
showme
0
1
2
equals 0
equals 1
equals 2

Quote is irrelevant in simple field names.

Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...