https://community.splunk.com/t5/Splunk-Search/Looping-in-Splunk-Query/m-p/504097#M140729 <P data-unlink="true"><SPAN class="UserName lia-user-name lia-user-rank-Communicator lia-component-message-view-widget-author-username"><SPAN class="">Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/165605">@ktugwell_splunk</a>&nbsp;</SPAN></SPAN></P><P><SPAN class="UserName lia-user-name lia-user-rank-Communicator lia-component-message-view-widget-author-username"><SPAN class="">Thanks for your response, In this case the count 5 is dynamic, They may 100's of rows with the parent child relationship. in such a use case how would I build the relationship.</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class="UserName lia-user-name lia-user-rank-Communicator lia-component-message-view-widget-author-username"><SPAN class="">Thanks,</SPAN></SPAN></P> Fri, 12 Jun 2020 09:13:49 GMT gowtham08091 2020-06-12T09:13:49Z https://community.splunk.com/t5/Splunk-Search/Looping-in-Splunk-Query/m-p/481360#M134893 <P>Hello Everyone.</P> <P>I have a traceability report as below<BR /> Parent Child<BR /> A B<BR /> A C<BR /> B D<BR /> C E<BR /> C F</P> <P>Where as I have create the link traceability as <BR /> Parent Son Grandson<BR /> A B D<BR /> A C E<BR /> A C F</P> <P>I am struggling to identify the base query for this use case, can anyone suggest ?</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8747iE4B9B78F9682D375/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Tue, 21 Apr 2020 15:45:59 GMT https://community.splunk.com/t5/Splunk-Search/Looping-in-Splunk-Query/m-p/481360#M134893 Gowthamdevaraj 2020-04-21T15:45:59Z https://community.splunk.com/t5/Splunk-Search/Looping-in-Splunk-Query/m-p/481361#M134894 <P>Hey there,</P> <P>This had be puzzled for a bit! And I do hope I haven't over-engineered it.</P> <P>I think the best way for you to achieve this is to potentially use a lookup. This will work on small to moderate datasets, if your dataset larger, you may want to consider the KV Store.</P> <P>First, I reproduced your dataset like this:</P> <PRE><CODE>| makeresults count=5 | streamstats count | eval Parent=CASE(count=1,"A",count=2,"A",count=3,"B",count=4,"C",count=5,"C",1==1,0) | eval Child=CASE(count=1,"B",count=2,"C",count=3,"D",count=4,"E",count=5,"F",1==1,0) | fields - _time | fields Parent Child </CODE></PRE> <P>Then i output the results to a CSV <CODE>| outputlookup family.csv</CODE></P> <P>I then used that output to link the family members together.</P> <PRE><CODE>| makeresults count=5 | streamstats count | eval Parent=CASE(count=1,"A",count=2,"A",count=3,"B",count=4,"C",count=5,"C",1==1,0) | eval Child=CASE(count=1,"B",count=2,"C",count=3,"D",count=4,"E",count=5,"F",1==1,0) | fields - _time | fields Parent Child | lookup family.csv Parent AS Child OUTPUT Child AS Grandchild </CODE></PRE> <P>Finally, you'll see, because <CODE>C</CODE> is both the parent of <CODE>E</CODE> and <CODE>F</CODE>. Splunk will give you a multivalued field for <CODE>Grandchild</CODE>.</P> <P>You can then use this <CODE>| mvexpand Grandchild</CODE> which should give you the result you're looking for.</P> <P>I hope this works for you and demonstrates how a lookup can be used to match data like this. Remember, you can always schedule the <CODE>outputlookup</CODE> to keep the <CODE>family.csv</CODE> up to date.</P> <P>Thanks</P> Wed, 22 Apr 2020 15:25:34 GMT https://community.splunk.com/t5/Splunk-Search/Looping-in-Splunk-Query/m-p/481361#M134894 ktugwell_splunk 2020-04-22T15:25:34Z https://community.splunk.com/t5/Splunk-Search/Looping-in-Splunk-Query/m-p/504097#M140729 <P data-unlink="true"><SPAN class="UserName lia-user-name lia-user-rank-Communicator lia-component-message-view-widget-author-username"><SPAN class="">Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/165605">@ktugwell_splunk</a>&nbsp;</SPAN></SPAN></P><P><SPAN class="UserName lia-user-name lia-user-rank-Communicator lia-component-message-view-widget-author-username"><SPAN class="">Thanks for your response, In this case the count 5 is dynamic, They may 100's of rows with the parent child relationship. in such a use case how would I build the relationship.</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class="UserName lia-user-name lia-user-rank-Communicator lia-component-message-view-widget-author-username"><SPAN class="">Thanks,</SPAN></SPAN></P> Fri, 12 Jun 2020 09:13:49 GMT https://community.splunk.com/t5/Splunk-Search/Looping-in-Splunk-Query/m-p/504097#M140729 gowtham08091 2020-06-12T09:13:49Z https://community.splunk.com/t5/Splunk-Search/Looping-in-Splunk-Query/m-p/504130#M140736 <LI-CODE lang="markup">| makeresults count=200 | eval Parent=mvindex(split("ABCDEFGHIJKLMNOPQRSTUVWXYZ",""),random()%26) | eval Son=mvindex(split("ABCDEFGHIJKLMNOPQRSTUVWXYZ",""),random()%26) | table Parent Son | dedup Parent Son | rename COMMENT as "from here, the logic" | eval tmp=Parent.Son | eventstats values(tmp) as listed | mvexpand listed | rex field=listed max_match=0 "(?&lt;GroundSon1&gt;\w)(?&lt;GroundSon2&gt;\w)" | where Son==GroundSon1 | table Parent Son GroundSon2 | rename GroundSon2 as Groundson | dedup Parent Son Groundson | sort Parent Son Groundson</LI-CODE><P>For three category , It can forced to do .</P> Fri, 12 Jun 2020 11:56:59 GMT https://community.splunk.com/t5/Splunk-Search/Looping-in-Splunk-Query/m-p/504130#M140736 to4kawa 2020-06-12T11:56:59Z