Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Run search repeatedly for different filter results

edward_stewart
New Member
‎12-19-2017 01:01 PM

I am trying to run a search over a very large number of events. Because it uses trendline and predict I am only able to output the results one at a time for each change in field foo.

I would like to run the search repeatedly with a table of results at the end with the result of the search for each value in foo
Unfortunately I can only combine the results into a single value or run the search individually for each different foo.
This is time consuming and frankly not repeatable, which is required.

I was looking at the map command and hoping it would provide me with a method of doing what I am doing.

Any help is appreciated. Below is a masked version of the search I am running and I have bolded the fields that will change.

index=summary_index sourcetype=summary_data NAME=Device1

SECTOR="1"

| timechart
sum(eval(BBH_L_Thrp_bits_DL_Avg/8/1024/1024/1024)) span=1w as Bits
|trendline sma10(Bits) as Bits_AVG |predict Bits_AVG algorithm=LLP5 future_timespan=52 holdback=38
|rename prediction(Bits_AVG) as Prediciton_Accuracy | eval Model_variance=((Bits_AVG - Prediciton_Accuracy)/Bits_AVG*100)
| stats max(Model_variance) min(Model_variance)

0 Karma
Reply

DalJeanis
Legend
‎12-22-2017 01:07 PM

You probably want to avoid map for something like this, because map is generally very slow and finnicky and you can't tell what is going on until it finally either completes or fails.

Here is one way that you can get any number of these in one run, although you would have to repeat some code for each value, so it is not optimal as coded here...

| makeresults  
| eval NAME = "A B C" | makemv NAME | mvexpand NAME
| eval recno=mvrange(1,200) 
| mvexpand recno 
| eval _time=relative_time(_time,"-3d@d") +720*recno 
| eval mycount=random()%25 + random()%13 +recno*3
| eval mycount=mycount+case(NAME="B",100+random()%37,NAME="C",200+random()%27,true(),0)
| rename COMMENT as "The above just generates test data with a visible trend for three different values of NAME (A, B, C)"

| rename COMMENT as "This could be replaced with a bin _time and stats if you need more dimensions"
| timechart max(mycount) as Bits by NAME

| rename COMMENT as "This code gets copied once per value of NAME - it could be in a macro if you prefer"
| trendline sma10(A) as A_AVG
| predict A_AVG algorithm=LLP5 future_timespan=52 holdback=38
| rename prediction(A_AVG) as Prediction_Accuracy_A
| eval Model_VarianceA=(100*(A_AVG - Prediction_Accuracy_A)/A_AVG) 

| trendline sma10(B) as B_AVG
| predict B_AVG algorithm=LLP5 future_timespan=52 holdback=38
| rename prediction(B_AVG) as Prediction_Accuracy_B
| eval Model_VarianceB=(100*(B_AVG - Prediction_Accuracy_B)/B_AVG) 

| trendline sma10(C) as C_AVG
| predict C_AVG algorithm=LLP5 future_timespan=52 holdback=38
| rename prediction(C_AVG) as Prediction_Accuracy_C
| eval Model_VarianceC=(100*(C_AVG - Prediction_Accuracy_C)/C_AVG)


| rename COMMENT as "And now we get your results"
| stats min(Model_Variance*) as minModel_Variance* max(Model_Variance*) as maxModel_Variance*
| eval recno=1
| untable recno varname varvalue
| rex field=varname "(?<vartype>minModel_Variance|maxModel_Variance)(?<NAME>.*)"
| eval {vartype}=varvalue
| fields - recno varname vartype varvalue
| stats values(*) as * by NAME
0 Karma
Reply

edward_stewart
New Member
‎02-26-2018 10:08 AM

I am hoping to avoid cascading the code for each device since there are more than 4000 of them. I also do not know what the values are going to be at any given point in time as it will change s our network devices change.

My code is working really well to do it for one device at a time, but I would like to figure out how to run it and table it out for all devices.

If I really have to write the search to repeat for each device I will, but if there is a way to avoid it so that the list can be self generating then that would be ideal.

In other words lines 13-17 are based on the field values in "NAME" but I won't always know what those are. They are long cumbersome strings.

In any event, I am going to play a bit with your suggestion and see if it helps me.

Thanks for the reply.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...