Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Looping in Splunk...

sjringo
Communicator
‎10-07-2021 05:04 AM

Trying to figure out how to loop in Splunk.  I have the below query and my end result is to map/chart into a timechart by the percentage over _time.

index=anIndex sourcetype=aSource StringA earliest=-480m latest=-240m | stats count as A

| appendcols [search index=anIndex sourcetype=aSouce StringB earliest=-480m latest=-240m | stats count as B ]

| eval _time = relative_time(now(), "-240m@m")

| eval percentage = round(( A / B) * 100)

| fields + _time, percentage

 

Variables that need to change with each loop.

Lets assume I want to show percentage starting from 4 hour in the past to the current time by 30 minute increments.

1) Index: the earliest and latest need to increment by +30 minutes starting at (latest=-480, earliest = -240) till I get to 0

2) _time will need to be relative to when I start (beginning @ time now(), -240) and be adjusted on each loop by + 30 mins till I get to 0

 

I have looked at many examples but do not understand how to apply it to my requirements...

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-07-2021 07:05 AM

Try removing that line

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-07-2021 05:43 AM

SPL is not a procedural language so we have to think a little differently to get the job done.  Fortunately, it can do looping for us.

index=anIndex sourcetype=aSource (StringA OR StringB) earliest=-480m latest=-240m 
| bucket span=30m _time
| stats sum(eval(like(_raw, "%StringA%"))) as A, sum(eval(like(_raw, "%StringB%"))) as B by _time
| eval percentage = round(( A / B) * 100)
| fields _time, percentage
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

sjringo
Communicator
‎10-07-2021 06:27 AM

Pseudo code, mixture of Java and SPL:

 

int aSpan = 240;   <- 4 hours

for (int anInt = -510; anInt > 0; anInt -30) {

 

              index=anIndex sourcetype=aSourceType StringA earliest=-(anInt)m latest=-(anInt+aSpan)m | stats count as A

              | appendcols [search index=anIndex sourcetype=aSourceType StringB -(anInt)m latest=-(anInt+aSpan)m | stats count as B ]

              | eval _time = relative_time(now(), "-(anInt)m@m")

              | eval percentage = round((A / B) * 100)

              | + fields _time, percentage   

}

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-07-2021 05:42 AM

It's again the https://community.splunk.com/t5/Splunk-Search/Timechart-of-a-percentage-using-data-from-X-hours-ago/... topic? 🙂

I still think you're not telling us what you want to achieve but what you're trying to force splunk to do.

I understand that you want to calculate some stats based on how many times StringA appears in events with sourcetype=A and how many times StringB appears in events with sourcetype=B.

But what is the desired result. Tell us what is this supposed to represent.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-07-2021 05:39 AM

Does this work for you?

index=anIndex sourcetype=aSource StringA earliest=-480m latest=-240m
| bin _time span=30m
| stats count as A

| appendcols [search index=anIndex sourcetype=aSouce StringB earliest=-480m latest=-240m 
| bin _time span=30m
| stats count as B ]

| eval _time = relative_time(now(), "-240m@m")

| eval percentage = round(( A / B) * 100)

| fields + _time, percentage
0 Karma
Reply
Solved! Jump to solution

sjringo
Communicator
‎10-07-2021 06:10 AM

I added ( | bin _time span=30m) and the results were one percentage calculation.  What I am looking for is the percentage calculation over time .  I am looking for results like this, lets assume we run the query at 4 AM.  Starting @ midnight then moving forward till we get till 4 AM.

_time                                                Percentage                               earliest                           latest

2021-10-07 00:00:00                P1                                                 -480                                -240

2021-10-07 00:30:00                P2                                                 -450                                -210

2021-10-07 01:00:00                P3                                                 -420                                -180

2021-10-07 04:00:00                PX                                                 -240                                -0

Then I would use the timechart on ( _time, Percentage) which would show me how the percentage moves up/down every 30 mins from midnight till 4 AM.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-07-2021 06:17 AM

Sorry I missed the by _time out

index=anIndex sourcetype=aSource StringA earliest=-480m latest=-240m
| bin _time span=30m
| stats count as A by _time

| appendcols [search index=anIndex sourcetype=aSouce StringB earliest=-480m latest=-240m 
| bin _time span=30m
| stats count as B by _time]

| eval _time = relative_time(now(), "-240m@m")

| eval percentage = round(( A / B) * 100)

| fields + _time, percentage
0 Karma
Reply
Solved! Jump to solution

sjringo
Communicator
‎10-07-2021 07:01 AM

Much, Much better...  One thing is that _time is the same for each percentage result, which makes sense since the _time eval is:

| eval _time = relative_time(now(), "-240m@m")

How would I make it move in 30 minute intervals which is the bin span ? 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-07-2021 07:05 AM

Try removing that line

Reply
Solved! Jump to solution

sjringo
Communicator
‎10-07-2021 07:14 AM

That did the trick.  Once again thanks for your help!

My procedural brain was just not seeing the problem correctly...

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-07-2021 09:50 AM

Yes, SPL is not procedural, although there are ways to do loops of a sort, but they wouldn't have helped in your case.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...