https://community.splunk.com/t5/Splunk-Search/Is-there-any-option-in-Splunk-to-run-a-search-in-a-loop/m-p/450602#M127591 <P>Hi @sunnyb147</P> <P>Can't exactly say why are you looking for a loop for the scenario you described. It more looks like you want to run it on a cron schedule.<BR /> In case there is a gap in understanding your logic, below is a sample of how you could use a loop - </P> <PRE><CODE>| makeresults | eval Feature.Flags.1 = "True", Feature.Flags.2 = "abc", Feature.Flags.3 = "" | eval HostFlags="" | foreach "Feature.Flags"* [eval HostFlags='&lt;&lt;FIELD&gt;&gt;'] | where HostFlags!="" | table Feature.Flags* </CODE></PRE> <P>Also, take a look at - <A href="https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Foreach">https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Foreach</A><BR /> Hope this helps. Let me know.</P> Thu, 27 Jun 2019 18:27:51 GMT amitm05 2019-06-27T18:27:51Z https://community.splunk.com/t5/Splunk-Search/Is-there-any-option-in-Splunk-to-run-a-search-in-a-loop/m-p/450600#M127589 <P>Hi All, Good morning,<BR /> Is there any option in Splunk to run a search in a loop?</P> <P>Basically what I want to say is I have a search which is producing some result in a tabular format and further I am piping that in a CSV file, a single iteration is working fine.</P> <P>But I want to run that search lets say for 7 days based on date_mday, so I was wondering if there is a way like for loop kind of a thing so that every time when the search is executed it appends the output to a csv file.</P> <P><STRONG>Sample search:</STRONG></P> <PRE><CODE>index=test1 country=india | dedup txn-id| stats count(txn-id) as unique_txns by date_mday, date_month | table date_mday, date_month, unique_txns | outputlookup append=true sunny_test.csv </CODE></PRE> <P>Any help/guidance would be really appreciated.</P> <P>Thanks,<BR /> Sunny</P> Thu, 27 Jun 2019 09:40:40 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-any-option-in-Splunk-to-run-a-search-in-a-loop/m-p/450600#M127589 sunnyb147 2019-06-27T09:40:40Z https://community.splunk.com/t5/Splunk-Search/Is-there-any-option-in-Splunk-to-run-a-search-in-a-loop/m-p/450601#M127590 <P>Where is the problem exactly? Create a scheduled search that runs every seven days with <CODE>earliest=-7d@d AND latest=@d</CODE> for example and that's it. Your outputlookup already uses the option <CODE>append=true</CODE> so the files should get appended.</P> <P>Skalli</P> Thu, 27 Jun 2019 16:45:43 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-any-option-in-Splunk-to-run-a-search-in-a-loop/m-p/450601#M127590 skalliger 2019-06-27T16:45:43Z https://community.splunk.com/t5/Splunk-Search/Is-there-any-option-in-Splunk-to-run-a-search-in-a-loop/m-p/450602#M127591 <P>Hi @sunnyb147</P> <P>Can't exactly say why are you looking for a loop for the scenario you described. It more looks like you want to run it on a cron schedule.<BR /> In case there is a gap in understanding your logic, below is a sample of how you could use a loop - </P> <PRE><CODE>| makeresults | eval Feature.Flags.1 = "True", Feature.Flags.2 = "abc", Feature.Flags.3 = "" | eval HostFlags="" | foreach "Feature.Flags"* [eval HostFlags='&lt;&lt;FIELD&gt;&gt;'] | where HostFlags!="" | table Feature.Flags* </CODE></PRE> <P>Also, take a look at - <A href="https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Foreach">https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Foreach</A><BR /> Hope this helps. Let me know.</P> Thu, 27 Jun 2019 18:27:51 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-any-option-in-Splunk-to-run-a-search-in-a-loop/m-p/450602#M127591 amitm05 2019-06-27T18:27:51Z https://community.splunk.com/t5/Splunk-Search/Is-there-any-option-in-Splunk-to-run-a-search-in-a-loop/m-p/450603#M127592 <P>Let me know if this answers your query. Or if there is more to it yet. Please accept if you are ok with the answer. Thaks</P> Fri, 28 Jun 2019 08:30:34 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-any-option-in-Splunk-to-run-a-search-in-a-loop/m-p/450603#M127592 amitm05 2019-06-28T08:30:34Z https://community.splunk.com/t5/Splunk-Search/Is-there-any-option-in-Splunk-to-run-a-search-in-a-loop/m-p/450604#M127593 <P>Hi @amitm05 ,</P> <P>Thanks for your feedback, let me try explaining the scenario, basically what I am up-to:</P> <OL> <LI>If I run above query , it will give me a unique count of all transaction-ids for a specific day which I select in time-picker.</LI> <LI>And if I add this thing in the cron schedule, it will append the file on daily basis.</LI> <LI>What I want is, to have a while loop or for loop in which if I pass this query then it should take the date via date_mday field and extract the results and further append that in the csv file.</LI> </OL> <P>The main issue here is if I use 7 days in time-picker and dedup the transaction-id it doesn't give me correct count reason being some transaction-ids are being duplicated over multiple dates.</P> <P>Example: If I search for a unique count on 30th of June 2019 the count is 515 but if I select the tenure of 7 days it gives me a count of 483 for 30th of June 2019.</P> <P>I tried using MAP and FOREACH but didn't got what I was looking for.</P> <P>Thanks,<BR /> Sunny</P> Mon, 01 Jul 2019 07:27:25 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-any-option-in-Splunk-to-run-a-search-in-a-loop/m-p/450604#M127593 sunnyb147 2019-07-01T07:27:25Z https://community.splunk.com/t5/Splunk-Search/Is-there-any-option-in-Splunk-to-run-a-search-in-a-loop/m-p/450605#M127594 <P>Hi @skalliger,</P> <P>Thanks for your feedback, The main issue here is if I use 7 days in time-picker or by earliest/latest and dedup the transaction-id it doesn't give me correct count reason being some transaction-ids are being duplicated over multiple dates.</P> <P>Example: If I search for a unique count on 30th of June 2019 the count is 515 but if I select the tenure of 7 days it gives me a count of 483 for 30th of June 2019.</P> <P>What I am looking for: Is to have a while loop or for loop in which if I pass this query then it should take the date via date_mday field and extract the results and further append that in the csv file.</P> <P>Thanks,<BR /> Sunny</P> Mon, 01 Jul 2019 07:51:28 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-any-option-in-Splunk-to-run-a-search-in-a-loop/m-p/450605#M127594 sunnyb147 2019-07-01T07:51:28Z https://community.splunk.com/t5/Splunk-Search/Is-there-any-option-in-Splunk-to-run-a-search-in-a-loop/m-p/450606#M127595 <P>Found the solution without using loop, and its working fine.</P> <P>Instead of doing, dedup then counting the unique transactions.. counted distinct count of transactions.</P> Fri, 12 Jul 2019 12:51:06 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-any-option-in-Splunk-to-run-a-search-in-a-loop/m-p/450606#M127595 sunnyb147 2019-07-12T12:51:06Z