Then using foreach command we done the calculation for total bytes in KB used by the status.By the timechart command we calculate sum of bytes field as total_bytes by status field in different time and using useother command we remove OTHER field which was created by the timechart command.In the above query “_internal” is the index and sourcetype name is “splunkd_ui_access”.We can use wild card characters in the field names.ĭescription : A sub-search that includes a template for replacing the values of the fields.ĭescription : Replaces > with part of the field name that matches wildcard(s) in the specifier.Ĭalculate total bytes in KB use by the status index=_internal sourcetype=splunkd_ui_access | timechart sum(bytes) as total_bytes by status useother=f | foreach * | fillnull Using foreach command we can take multiple fields in a loop and easily we can perform any calculation.įind below the skeleton of the usage of the command “foreach” in SPLUNKĭescription : A list of field names. Now if we want to calculate multiple fields at same time we can’t do using eval command, we can do using foreach command. Using eval command we can perform calculation for a single field. Earlier we already discuss about eval command. Basically foreach command runs a streaming sub-search for each field.
0 kommentar(er)
