Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a recursive search to build a tree structure?

unchura
Explorer
‎12-05-2016 09:52 AM

I have a csv index imported in Splunk and it represents static pairs "child-account" structure i,e:

account,parent
126,783
125,783
124,783
123,783
321,555
555,777
789,777
999,222
783,222
777,222
222,111
111,0

I need to build a search that would bring back specific branch of the tree structure based on the given parent/branch name i.e

Search for "783" would bring a table result that looks like this:

account,parent
126,783
125,783
124,783
123,783
783,0

or if a search for "777" would bring only children and all below successors, i.e:

account,parent
321,555
555,777
789,777
777,0

Ideally, I also need a way to search and bring resulting ancestors for any given child i,e:
when searching for "777", that would bring:

account,parent
777,222
222,111
111,0

Thank you in advance!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

maciep
Champion
‎12-05-2016 05:30 PM

There may be a way, but I don't think Splunk is really built for this kind of iteration/recursion. I don't suppose there is a depth limit to this tree, is there?

Here's an example that starts to build the whole tree out, but I'm not sure if there's a way (maybe with foreach or map) to actually build it out to completion. 

| inputlookup account_child.csv 
| table parent account 
| join type=left max=0 account 
    [| inputlookup account_child.csv 
    | rename account as account2 
    | rename parent as account] 
| join type=left max=0 account2 
    [| inputlookup account_child.csv 
    | rename account as account3 
    | rename parent as account2] 
| join max=0 type=left account3 
    [| inputlookup account_child.csv 
    | rename account as account4 
    | rename parent as account3]

View solution in original post

Reply
Solved! Jump to solution
Solution

maciep
Champion
‎12-05-2016 05:30 PM

There may be a way, but I don't think Splunk is really built for this kind of iteration/recursion. I don't suppose there is a depth limit to this tree, is there?

Here's an example that starts to build the whole tree out, but I'm not sure if there's a way (maybe with foreach or map) to actually build it out to completion. 

| inputlookup account_child.csv 
| table parent account 
| join type=left max=0 account 
    [| inputlookup account_child.csv 
    | rename account as account2 
    | rename parent as account] 
| join type=left max=0 account2 
    [| inputlookup account_child.csv 
    | rename account as account3 
    | rename parent as account2] 
| join max=0 type=left account3 
    [| inputlookup account_child.csv 
    | rename account as account4 
    | rename parent as account3]
Reply
Solved! Jump to solution

unchura
Explorer
‎12-08-2016 07:52 AM

It worked and exactly what I looking for. There is no depth limit, but at least its predictable value and I do a finite amount of iterations that would cover the task.. Thanks!

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎12-05-2016 11:09 AM

I am not able to correlate the pattern of all your three examples. Do you want single search to do all three? or they are three different scenarios you want to capture?

In any case here is the search string for first case of 783 example (I have used my own input lookup csv file similar to what you have provided and searchField is hard-coded as 783 which you can have a input Dashboard form)

 | inputlookup account_tree | eval searchField=783 |where account=searchField OR parent=searchField | eval parent=if(parent==searchField,parent,0) | fields - searchField

Following is the output:
account parent
126 783
125 783
124 783
123 783
783 0

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

unchura
Explorer
‎12-05-2016 11:24 AM

this is great working one, however it unable to retrieve all the children recursively, ie. when search for "777" it would bring only 1 level of children but not their children, i.e:

account,parent
555,777
789,777
777,0

missing 321,555

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎12-05-2016 08:12 PM

Could you please confirm whether you want single query to do all three or separate queries will work?

Identifying single child and all parents would be possible as two separate queries if that works for you.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...