All Apps and Add-ons

How to use While Loop in splunk query

scool29
Explorer

Hi,
I want to write a serach query for below condition:-
bollean flag =false;
while speed>0
if(speed>0 & speed<5 and flag==false)
count=count+1; flag=true;
if(speed>5 and flag==true)
flag=false;
end while;
return count;

yannK
Splunk Employee
Splunk Employee

Lke @martin_muller said, splunk search language is not a programming language. You will do better by switching your mind to the search way when each search part pass the results to the next part etc...
example : <search conditions> | <function> | <function> | <new conditions> | <formatting>

if you have events like those and all your fields correctly extracted :

latitude longitude duration speed
18.59094039 73.74169497 11-02-2014 19:42 0.833333
18.59096988 73.74183935 11-02-2014 19:43 1.833333

you can use a search like to prepare your results :

source=mysource | eval speed_range=case(speed<=0,"null",speed>0 AND speed <5,"low-range",speed>=5,"high-range",1=1,"speed error") | table duration speed_range

now if you want the total per range, convert the duration on seconds, and add a stats function.

source=mysource | eval speed_range=case(speed<=0,"null",speed>0 AND speed <5,"low-range",speed>=5,"high-range",1=1,"speed error") | stats count by speed_range

If you are looking for the duration as the difference of "duration" between your 2 events in the same speed_range, you should start convert your duration to _time and use the transaction command.

source=mysource | eval speed_range=case(speed<=0,"null",speed>0 AND speed <5,"low-range",speed>=5,"high-range",1=1,"speed error") | eval _time=duration | transaction speed_range | table _time duration speed_range

see http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Convert
and http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Transaction

scool29
Explorer

,below is some detail of exact problem:-

latitude longitude duration speed
18.59094039 73.74169497 11-02-2014 19:42 0.833333
18.59096988 73.74183935 11-02-2014 19:43 1.833333
18.59101222 73.74205194 11-02-2014 19:44 6.666667
18.59101222 73.74205194 11-02-2014 19:44 0.666667
A Group is counted as one when speed >=0 and speed<=5. if speed exceeds 5 then again search for speed>=0 and speed<=5 and count it as 2nd group until speed>5 is found.we want duration for each such

0 Karma

dwaddle
SplunkTrust
SplunkTrust

What defines a 'group'? As @martin_mueller said, you won't solve this with a while loop using Splunk - but it can be solved otherwise. However, more information is needed to help you write a search. Do you have an example of your data and desired results?

0 Karma

scool29
Explorer

Speed is the column name . I want yo count numver of groups having speed between 0 to5. I needed something like while to iterate over and use flag as above algo

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Splunk Processing Language likely is not Turing-complete, there is no while loop. If there were, your loop would run indefinitely because its body doesn't modify the speed variable.

What are you actually trying to achieve?

Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...