Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Looping in Splunk Query

Gowthamdevaraj
New Member
‎04-21-2020 08:45 AM

Hello Everyone.

I have a traceability report as below
Parent Child
A B
A C
B D
C E
C F

Where as I have create the link traceability as
Parent Son Grandson
A B D
A C E
A C F

I am struggling to identify the base query for this use case, can anyone suggest ?

alt text

Preview file
1 KB
0 Karma
Reply

to4kawa
Ultra Champion
‎06-12-2020 04:56 AM 
| makeresults count=200
| eval Parent=mvindex(split("ABCDEFGHIJKLMNOPQRSTUVWXYZ",""),random()%26)
| eval Son=mvindex(split("ABCDEFGHIJKLMNOPQRSTUVWXYZ",""),random()%26)
| table Parent Son
| dedup Parent Son
| rename COMMENT as "from here, the logic"
| eval tmp=Parent.Son
| eventstats values(tmp) as listed
| mvexpand listed
| rex field=listed max_match=0 "(?<GroundSon1>\w)(?<GroundSon2>\w)"
| where Son==GroundSon1
| table Parent Son GroundSon2
| rename GroundSon2 as Groundson
| dedup Parent Son Groundson
| sort Parent Son Groundson

For three category , It can forced to do .

0 Karma
Reply

ktugwell_splunk
Splunk Employee
Splunk Employee
‎04-22-2020 08:25 AM

Hey there,

This had be puzzled for a bit! And I do hope I haven't over-engineered it.

I think the best way for you to achieve this is to potentially use a lookup. This will work on small to moderate datasets, if your dataset larger, you may want to consider the KV Store.

First, I reproduced your dataset like this:

| makeresults count=5 
| streamstats count 
| eval Parent=CASE(count=1,"A",count=2,"A",count=3,"B",count=4,"C",count=5,"C",1==1,0) 
| eval Child=CASE(count=1,"B",count=2,"C",count=3,"D",count=4,"E",count=5,"F",1==1,0)
| fields - _time
| fields Parent Child

Then i output the results to a CSV | outputlookup family.csv

I then used that output to link the family members together.

| makeresults count=5 
| streamstats count 
| eval Parent=CASE(count=1,"A",count=2,"A",count=3,"B",count=4,"C",count=5,"C",1==1,0) 
| eval Child=CASE(count=1,"B",count=2,"C",count=3,"D",count=4,"E",count=5,"F",1==1,0) 
| fields - _time 
| fields Parent Child 
| lookup family.csv Parent AS Child OUTPUT Child AS Grandchild

Finally, you'll see, because C is both the parent of E and F. Splunk will give you a multivalued field for Grandchild.

You can then use this | mvexpand Grandchild which should give you the result you're looking for.

I hope this works for you and demonstrates how a lookup can be used to match data like this. Remember, you can always schedule the outputlookup to keep the family.csv up to date.

Thanks

0 Karma
Reply

gowtham08091
Explorer
‎06-12-2020 02:13 AM

Hi @ktugwell_splunk 

Thanks for your response, In this case the count 5 is dynamic, They may 100's of rows with the parent child relationship. in such a use case how would I build the relationship.

 

Thanks,

0 Karma
Reply
Get Updates on the Splunk Community!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...