All Apps and Add-ons

How to use While Loop in splunk query

Explorer

Hi,
I want to write a serach query for below condition:-
bollean flag =false;
while speed>0
if(speed>0 & speed<5 and flag==false)
count=count+1; flag=true;
if(speed>5 and flag==true)
flag=false;
end while;
return count;

Splunk Employee
Splunk Employee

Lke @martin_muller said, splunk search language is not a programming language. You will do better by switching your mind to the search way when each search part pass the results to the next part etc...
example : <search conditions> | <function> | <function> | <new conditions> | <formatting>

if you have events like those and all your fields correctly extracted :

latitude longitude duration speed
18.59094039 73.74169497 11-02-2014 19:42 0.833333
18.59096988 73.74183935 11-02-2014 19:43 1.833333

you can use a search like to prepare your results :

source=mysource | eval speed_range=case(speed<=0,"null",speed>0 AND speed <5,"low-range",speed>=5,"high-range",1=1,"speed error") | table duration speed_range

now if you want the total per range, convert the duration on seconds, and add a stats function.

source=mysource | eval speed_range=case(speed<=0,"null",speed>0 AND speed <5,"low-range",speed>=5,"high-range",1=1,"speed error") | stats count by speed_range

If you are looking for the duration as the difference of "duration" between your 2 events in the same speed_range, you should start convert your duration to _time and use the transaction command.

source=mysource | eval speed_range=case(speed<=0,"null",speed>0 AND speed <5,"low-range",speed>=5,"high-range",1=1,"speed error") | eval _time=duration | transaction speed_range | table _time duration speed_range

see http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Convert
and http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Transaction

Explorer

,below is some detail of exact problem:-

latitude longitude duration speed
18.59094039 73.74169497 11-02-2014 19:42 0.833333
18.59096988 73.74183935 11-02-2014 19:43 1.833333
18.59101222 73.74205194 11-02-2014 19:44 6.666667
18.59101222 73.74205194 11-02-2014 19:44 0.666667
A Group is counted as one when speed >=0 and speed<=5. if speed exceeds 5 then again search for speed>=0 and speed<=5 and count it as 2nd group until speed>5 is found.we want duration for each such

0 Karma

SplunkTrust
SplunkTrust

What defines a 'group'? As @martin_mueller said, you won't solve this with a while loop using Splunk - but it can be solved otherwise. However, more information is needed to help you write a search. Do you have an example of your data and desired results?

0 Karma

Explorer

Speed is the column name . I want yo count numver of groups having speed between 0 to5. I needed something like while to iterate over and use flag as above algo

0 Karma

SplunkTrust
SplunkTrust

Splunk Processing Language likely is not Turing-complete, there is no while loop. If there were, your loop would run indefinitely because its body doesn't modify the speed variable.

What are you actually trying to achieve?