topic how to make loop in splunk query in Splunk Search

how to make loop in splunk query

leejaeyong — Wed, 30 Sep 2020 00:28:27 GMT

My final purpose is factor1 grouping.
I want somebody see before / after search result and code.

how to make for loop in splunk query?

*wanted query

factor1_hierarchy_level = 100
factor1_refference_value = 'one of all factor1 number'    

  for(i=1, i<=factor1_hierarchy_level, i=i+1)
 {
     factor1_prev=factor1_min+factor1_hierarchy_flag*(i-1)
     factor1_next=factor1_min+factor1_hierarchy_flag*(i)

     case(factor1_prev<factor1_refference_value<factor1_next)
     factor1_grouping=i
     case(factor1_pv>factor1_max)
     return 0
}

Re: how to make loop in splunk query

maciep — Thu, 09 May 2019 23:37:01 GMT

So when wanting to loop in Splunk, I typically try to take advantage of the fact that splunk is already looping through my events. But sometimes to do that, you have to use spl to add/remove/modify events in order to have the right result set to then take advantage of that inherent looping. It took me a while to get it, but i really think of spl as more like jiu jitsu to programming's boxing...if that makes any sense.

So in this case, i would probably do something like this:

For each event, create a multi-value field with numbers ranging from 1 to 100
Then i would mvexpand that field - so now each original event is actually 100 events - the only difference between them is the new number field (your i iterator)
So now splunk will inherently loop for me
So i can calculate whatever that is that's inside your loop, and drop it in a new field for that event
Then, i can filter my events similarly to your case statements
and then when done, should similar to your desired output i think

Maybe something like this:

<your search>
| eval i = mvrange(1,100)
| mvexpand i
| eval reference = 50, prev=factor1_min+factor1_hierarchy_flag*(i-1), next=factor1_min+factor1_hierarchy_flag*(i)
| eval keep = case(next > reference AND prev < reference, 1)
| where keep=1
| fields - keep
| rename i AS factor1_grouping

Honestly, i have no idea what you're actually doing in your calculations or what that reference value is, and so not sure if this search produces the expected results. But hopefully it at least gives you an idea of how i would handle the looping part of the question. It's all about manipulating your result set with SPL until you have something that will work for splunk's inherent looping.