topic Re: Foreach for multivalue variable in Splunk Search

Foreach for multivalue variable

yurykiselev — Tue, 29 Sep 2020 14:36:41 GMT

Hi!

_time | id | exam_type | avg_reaction_time

Patients pass several types of exams (exam_a, exam_b, exam_c...). Exams that take place in one day considered as one session.

| eval DAY = strftime(_time, "%Y%m%d")
| stats avg(avg_reaction_time) as AVG_RT_DAY by DAY

I'm trying to get a chart of avg_reaction_times (Abscissa) for an individual exam_type by sessions (Ordinate) for defined exam types.
Having variable EXAM_TYPE_REQ = "exam_a exam_b exam_c" (getting from form) I thought about foreach for each of them.

Re: Foreach for multivalue variable

rafaelsalazar — Tue, 29 Sep 2020 14:36:47 GMT

So if your multivalue variable is an input in the form used to filter what to report with a space delimiter, then you need to make it a multivalue and format it on the search.. let me explain with a simple query..

So my strategy would be to first get whatever events we need filtered by a multivalue input from search command, then do the analysis you need to do.

Regards,
Rafael.

Re: Foreach for multivalue variable

woodcock — Thu, 29 Jun 2017 22:27:05 GMT

Show your events (or the modified events at the point where things break down) and your desired output. I am lost.

Re: Foreach for multivalue variable

yurykiselev — Fri, 30 Jun 2017 09:57:19 GMT

Thx for reply!

index="dynavision"
| spath
| eval EXAM_TYPE = ...
| eval PATIENT_ID = ...
| rex max_match=0 "\"rt[\d]+\":\s\"(?<RT>[\d\.]+)\""
| mvexpand(RT)
| stats avg(RT) as AVG_RT by _time PATIENT_ID EXAM_TYPE
| eval AVG_RT = round(AVG_RT, 2)
| sort _time
| table _time PATIENT_ID EXAM_TYPE AVG_RT

2016-02-29 04:25:00 998097  *A  1.90
2016-02-29 04:26:32 998097  programm stradaniy levoi ruki 2 1.60
2016-02-29 04:28:34 998097  *B 1 Sec Fast   0.74
2016-02-29 05:15:38 762888  *A  2.06
2016-02-29 05:17:15 762888  *B 1 Sec Fast   0.83
2016-02-29 05:19:01 762888  programm stradaniy levoi ruki   2.06
2016-02-29 06:11:04 547662  small1  2.04
2016-02-29 06:13:14 547662  small1  1.61
2016-02-29 06:17:44 547662  8   1.80
2016-03-03 08:20:20 221439  *A  0.98
2016-03-03 08:22:14 221439  programm stradaniy levoi ruki   1.21

I need chart: average reaction time by session for each exam_type. Session is serial number each day of exam. For expl:

 SESSION       _time           PATIENT_ID EXAM_TYPE
 1             2016-01-01      1          A
 2             2016-01-03      1          A
 1             2016-01-03      2          A
 2             2016-01-05      2          A
 1             2016-01-07      1          B
 2             2016-01-08      1          B
 3             2016-01-11      1          A
 3             2016-01-12      2          A

Re: Foreach for multivalue variable

woodcock — Fri, 30 Jun 2017 15:27:36 GMT

If I understand you correctly (which is by not means likely), like this:

| makeresults 
| eval raw="2016-02-29 04:25:00    998097    *A    1.90
2016-02-29 04:26:32    998097    programm stradaniy levoi ruki 2    1.60
2016-02-29 04:28:34    998097    *B 1 Sec Fast    0.74
2016-02-29 05:15:38    762888    *A    2.06
2016-02-29 05:17:15    762888    *B 1 Sec Fast    0.83
2016-02-29 05:19:01    762888    programm stradaniy levoi ruki    2.06
2016-02-29 06:11:04    547662    small1    2.04
2016-02-29 06:13:14    547662    small1    1.61
2016-02-29 06:17:44    547662    8    1.80
2016-03-03 08:20:20    221439    *A    0.98
2016-03-03 08:22:14    221439    programm stradaniy levoi ruki    1.21"
| makemv delim="
" raw
| mvexpand raw
| rename raw AS _raw
| rex "^(?<_time>\S+\s+\S+)\s+(?<PATIENT_ID>\S+)\s+(?<EXAM_TYPE>.*?)\s+(?<AVG_RT>\S+)$"
| eval _time = strptime(_time, "%Y-%m-%d %H:%M:%S")

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| bin span=1d _time
| stats avg(AVG_RT) AS AVG_RT BY _time EXAM_TYPE PATIENT_ID