Usage of Foreach Command in Splunk

Usage of Foreach Command in Splunk

Basically foreach command runs a streaming sub-search for each field. Earlier we already discuss about eval command. Using eval command we can perform calculation for a single field. Now if we want to calculate multiple fields at same time we can’t do using eval command, we can do using foreach command.

Using foreach command we can take multiple fields in a loop and easily we can perform any calculation.

Find below the skeleton of the usage of the command “foreach” in SPLUNK 

Syntax :

| foreach <wc-field>…… [matchstr=<string>] <subsearch>

Required arguments :-
wc-field
Description : A list of field names. We can use wild card characters in the field names.
subsearch
Description : A sub-search that includes a template for replacing the values of the fields.

Optional arguments :-
matchstr
Description : Replaces <<MATCHSTR>> with part of the field name that matches wildcard(s) in the specifier.

Example 1 :
Calculate total bytes in KB use by the status

index=_internal sourcetype=splunkd_ui_access
| timechart sum(bytes) as total_bytes by status useother=f
| foreach * [ eval <<FIELD>>='<<FIELD>>'/1024]
| fillnull

Result :

foreach2

Explanation :

  • In the above query “_internal” is the index and sourcetype name is “splunkd_ui_access”.
  • By the timechart command we calculate sum of bytes field as total_bytes by status field in different time and using useother command we remove OTHER field which was created by the timechart command.
  • Then using foreach command we done the calculation for total bytes in KB used by the status. From bytes filed we got the total value in byte and we convert this total value in byte by division with 1024 to get the value in KB.
  • At last we use fillnull command to fill the null value ( fillnull command replace null value fields with the value 0 ).

Note :

1. In foreach command we use “ * ” to get all the fields into the loop.
2. In this command we use one attribute <<FIELD>>, this attribute refers all the fields that taken by the " * " into the loop ( FIELD is template to access all the fields ). 

Example 2 :
Use the <<MATCHSTR>> attribute

| makeresults
| eval TEST1="100",TEST2="200",TEST3="300"
| fields - _time
| foreach TEST* [ eval new_<<MATCHSTR>> = <<FIELD>> /20]

Result :

foreach3

Explanation :

  • This search creates one result using the makeresults command.
  • The search then uses the eval command to create the fields TEST1, TEST2, and TEST3 with corresponding values.
  • Using fields we remove the field _time.
  • Then we use foreach command to division for all the field taken by the TEST* with 20 and got new result using eval command with fields name new_1=5, new_2=10, new_3=15. Here we use one argument is <<MATCHSTR>>, that mean it create fields name replaces with part of the field name that matches wildcard(s) in the specifier. Using TEST* we taken TEST1, TEST2 and  TEST3 and here “ * “ refer 1,2 and 3. This “ * “ values (1, 2, 3) create new fields with new_ (new_1, new_2 and new_3) and <<FIELD>> refer all the fields taken by the TEST* into the loop.

Now you can effectively utilize “foreach”  command in  your daily use to meet your requirement !!

Hope you are now comfortable in : Usage of Foreach Command in Splunk

Happy Splunking !!

Advertisements

One comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.