Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF

foreach

Description

Runs a templated streaming subsearch for each field in a wildcarded field list.

Syntax

foreach <wc-field>... [fieldstr=<string>] [matchstr=<string>] [matchseg1=<string>] [matchseg2=<string>] [matchseg3=<string>] <subsearch>

Required arguments

wc-field
Syntax: <field> ...
Description: A list of field names. You can use wild card characters in the field names.
subsearch
Syntax: [ subsearch ]
Description: A subsearch that includes a template for replacing values of the wildcarded fields

Optional arguments

fieldstr
Syntax: fieldstr=<string>
Description: Replaces <<FIELD>> with the whole field name.
matchstr
Syntax: matchstr=<string>
Description: Replaces <<MATCHSTR>> with part of the field name that matches wildcard(s) in the specifier.
matchseg1
Syntax: matchseg1=<string>
Description: Replaces <<MATCHSEG1>> with part of the field name that matches the first wildcard.
matchseg2
Syntax: matchseg2=<string>
Description: Replaces <<MATCHSEG2>> with part of the field name that matches the second wildcard.
matchseg3
Syntax: matchseg3=<string>
Description: Replaces <<MATCHSEG3>> with part of the field name that matches the third wildcard.

Examples

Example 1. Add together all fields with a name that starts with "test" into a total field. The result should be total=6.

a.

... | eval total=0 | eval test1=1 | eval test2=2 | eval test3=3 | foreach test* [eval total=total + <<FIELD>>]

b.

... | eval total=0 | eval test1-1=1 | eval test1-2=2 | eval test1-3=3 | foreach test* [eval total=total + '<<FIELD>>']

The <<FIELD>> token in the foreach subsearch is just a string replacement of the field names (test*). The eval expression does not recognize field names with non-alphanumeric characters unless the field names are surrounded by single quotes. Thus, the eval expression in the subsearch of 1a is invalid for 1b because the field names test1-1 and test1-2 include a non-alphanumeric character. For the eval expression to work, <<FIELD>> needs to be surrounded by single quotes.

Example 2. Use the foreach command to monitor license usage. Run the following search on the license master to return the daily license usage per sourcetype in bytes:

index=_internal source=*license_usage.log type!="*Summary" earliest=-30d | timechart span=1d sum(b) AS daily_bytes by st

Use the foreach command to calculate the daily license usage in gigabytes for each field:

index=_internal source=*license_usage.log type!="*Summary" earliest=-30d | timechart span=1d sum(b) AS daily_bytes by st | foreach * [eval <<FIELD>>='<<FIELD>>'/1024/1024/1024]

Example 3. Add each field that matches foo* to the corresponding bar* and write the result to a new_* field. For example, new_X = fooX + barX.

... | foreach foo* [eval new_<<MATCHSTR>> = <<FIELD>> + bar<<MATCHSTR>>]

Example 4. Equivalent to ... | eval foo="foo" | eval bar="bar" | eval baz="baz"

... | foreach foo bar baz [eval <<FIELD>> = "<<FIELD>>"]

Example 5. For the field, fooXbarY, this is equivalent to: ... | eval fooXbarY = "Y"

... | foreach foo*bar* fieldstr="#field#" matchseg2="#matchseg2#" [eval #field# = "#matchseg2#"]

See also

eval, map

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has about using the foreach command.

PREVIOUS
folderize
  NEXT
format

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0


Comments

Tatepoon - Thank you for noticing the issue. I have fixed the example.

Lstewart splunk, Splunker
March 25, 2016

> Example 5. For the field, fooXbarY, this is equivalent to: ... | eval fooXbarY = "X"
> ... | foreach foo*bar* fieldstr="#field#" matchseg2="#matchseg2#" [eval #field# = "#matchseg2#"]

matchseg2 should be "Y" instead of "X"

Tatepoon
March 22, 2016

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters