Getting Data In

Run search repeatedly for different filter results

edward_stewart
New Member

I am trying to run a search over a very large number of events. Because it uses trendline and predict I am only able to output the results one at a time for each change in field foo.

I would like to run the search repeatedly with a table of results at the end with the result of the search for each value in foo
Unfortunately I can only combine the results into a single value or run the search individually for each different foo.
This is time consuming and frankly not repeatable, which is required.

I was looking at the map command and hoping it would provide me with a method of doing what I am doing.

Any help is appreciated. Below is a masked version of the search I am running and I have bolded the fields that will change.

index=summary_index sourcetype=summary_data NAME=Device1

SECTOR="1"

| timechart
sum(eval(BBH_L_Thrp_bits_DL_Avg/8/1024/1024/1024)) span=1w as Bits
|trendline sma10(Bits) as Bits_AVG |predict Bits_AVG algorithm=LLP5 future_timespan=52 holdback=38
|rename prediction(Bits_AVG) as Prediciton_Accuracy | eval Model_variance=((Bits_AVG - Prediciton_Accuracy)/Bits_AVG*100)
| stats max(Model_variance) min(Model_variance)

0 Karma

DalJeanis
Legend

You probably want to avoid map for something like this, because map is generally very slow and finnicky and you can't tell what is going on until it finally either completes or fails.

Here is one way that you can get any number of these in one run, although you would have to repeat some code for each value, so it is not optimal as coded here...

| makeresults  
| eval NAME = "A B C" | makemv NAME | mvexpand NAME
| eval recno=mvrange(1,200) 
| mvexpand recno 
| eval _time=relative_time(_time,"-3d@d") +720*recno 
| eval mycount=random()%25 + random()%13 +recno*3
| eval mycount=mycount+case(NAME="B",100+random()%37,NAME="C",200+random()%27,true(),0)
| rename COMMENT as "The above just generates test data with a visible trend for three different values of NAME (A, B, C)"

| rename COMMENT as "This could be replaced with a bin _time and stats if you need more dimensions"
| timechart max(mycount) as Bits by NAME

| rename COMMENT as "This code gets copied once per value of NAME - it could be in a macro if you prefer"
| trendline sma10(A) as A_AVG
| predict A_AVG algorithm=LLP5 future_timespan=52 holdback=38
| rename prediction(A_AVG) as Prediction_Accuracy_A
| eval Model_VarianceA=(100*(A_AVG - Prediction_Accuracy_A)/A_AVG) 

| trendline sma10(B) as B_AVG
| predict B_AVG algorithm=LLP5 future_timespan=52 holdback=38
| rename prediction(B_AVG) as Prediction_Accuracy_B
| eval Model_VarianceB=(100*(B_AVG - Prediction_Accuracy_B)/B_AVG) 

| trendline sma10(C) as C_AVG
| predict C_AVG algorithm=LLP5 future_timespan=52 holdback=38
| rename prediction(C_AVG) as Prediction_Accuracy_C
| eval Model_VarianceC=(100*(C_AVG - Prediction_Accuracy_C)/C_AVG)


| rename COMMENT as "And now we get your results"
| stats min(Model_Variance*) as minModel_Variance* max(Model_Variance*) as maxModel_Variance*
| eval recno=1
| untable recno varname varvalue
| rex field=varname "(?<vartype>minModel_Variance|maxModel_Variance)(?<NAME>.*)"
| eval {vartype}=varvalue
| fields - recno varname vartype varvalue
| stats values(*) as * by NAME
0 Karma

edward_stewart
New Member

I am hoping to avoid cascading the code for each device since there are more than 4000 of them. I also do not know what the values are going to be at any given point in time as it will change s our network devices change.

My code is working really well to do it for one device at a time, but I would like to figure out how to run it and table it out for all devices.

If I really have to write the search to repeat for each device I will, but if there is a way to avoid it so that the list can be self generating then that would be ideal.

In other words lines 13-17 are based on the field values in "NAME" but I won't always know what those are. They are long cumbersome strings.

In any event, I am going to play a bit with your suggestion and see if it helps me.

Thanks for the reply.

0 Karma
Get Updates on the Splunk Community!

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...

Introducing New Splunkbase Governance!

Splunk apps are essential for maximizing the value of your Splunk Experience. Whether you’re using the default ...

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...