topic Re: how to make 'for loop' in splunk query in Splunk Search

how to make 'for loop' in splunk query

leejaeyong — Tue, 07 May 2019 05:44:17 GMT

For all row, how can i make splunk query following 'for loop'?

for(i=1, i<100, i=i+1)
{
    factor1_prev=factor1_min+factor1_hierarchy_flag*(i-1)
    factor1_pv=factor1_min+factor1_hierarchy_flag*i
    factor1_next=factor1_min+factor1_hierarchy_flag*(i+1)

    case(factor1_prev<factor1_pv<factor1_next)
    factor1_hierarchy=i
    case(factor1_pv>factor1_max)
    return 0
}

Re: how to make 'for loop' in splunk query

MuS — Wed, 08 May 2019 03:40:32 GMT

Hi leejaeyong,

you can try this:

| makeresults count=100 
| streamstats count AS foo 
| eval factor1_min=(random() % 100) /2, factor1_hierarchy_flag=(random() % 100) +2 
| rename comment AS "This ^^^ just creates dummy data" 
| eval factor1_prev=factor1_min+factor1_hierarchy_flag*(foo-1),
    factor1_pv=factor1_min+factor1_hierarchy_flag*foo,
    factor1_next=factor1_min+factor1_hierarchy_flag*(foo+1),
    factor1_hierarchy=case(factor1_prev < factor1_pv AND factor1_pv <factor1_next, foo, factor1_pv>factor1_max, 0, true(), "unknonw")

Everything up until the rename command creates just dummy events, and the last eval will be your loop over the 100 events. In this example foo is your i in your code.

Hope this helps ...

cheers, MuS

PS: I noticed that in your example factor1_max is missing that's why the last case() statement never will match.

Re: how to make 'for loop' in splunk query

leejaeyong — Wed, 30 Sep 2020 00:28:08 GMT

'MuS' thank you
but i think that did not communicate my problem in sufficient quantity.

My final purpose is factor1 grouping.
I want somebody see before / after search result and code.

*wanted query

factor1_hierarchy_level = 100
factor1_refference_value = 'one of all factor1 number'    

    for(i=1, i<=factor1_hierarchy_level, i=i+1)
    {
        factor1_prev=factor1_min+factor1_hierarchy_flag*(i-1)
        factor1_next=factor1_min+factor1_hierarchy_flag*(i)

        case(factor1_prev<factor1_refference_value<factor1_next)
        factor1_grouping=i
        case(factor1_pv>factor1_max)
        return 0
     }