Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Looping in Splunk...

sjringo
Contributor
‎10-07-2021 05:04 AM

Trying to figure out how to loop in Splunk.  I have the below query and my end result is to map/chart into a timechart by the percentage over _time.

index=anIndex sourcetype=aSource StringA earliest=-480m latest=-240m | stats count as A

| appendcols [search index=anIndex sourcetype=aSouce StringB earliest=-480m latest=-240m | stats count as B ]

| eval _time = relative_time(now(), "-240m@m")

| eval percentage = round(( A / B) * 100)

| fields + _time, percentage

 

Variables that need to change with each loop.

Lets assume I want to show percentage starting from 4 hour in the past to the current time by 30 minute increments.

1) Index: the earliest and latest need to increment by +30 minutes starting at (latest=-480, earliest = -240) till I get to 0

2) _time will need to be relative to when I start (beginning @ time now(), -240) and be adjusted on each loop by + 30 mins till I get to 0

 

I have looked at many examples but do not understand how to apply it to my requirements...

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-07-2021 07:05 AM

Try removing that line

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-07-2021 05:43 AM

SPL is not a procedural language so we have to think a little differently to get the job done.  Fortunately, it can do looping for us.

index=anIndex sourcetype=aSource (StringA OR StringB) earliest=-480m latest=-240m 
| bucket span=30m _time
| stats sum(eval(like(_raw, "%StringA%"))) as A, sum(eval(like(_raw, "%StringB%"))) as B by _time
| eval percentage = round(( A / B) * 100)
| fields _time, percentage
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

sjringo
Contributor
‎10-07-2021 06:27 AM

Pseudo code, mixture of Java and SPL:

 

int aSpan = 240;   <- 4 hours

for (int anInt = -510; anInt > 0; anInt -30) {

 

              index=anIndex sourcetype=aSourceType StringA earliest=-(anInt)m latest=-(anInt+aSpan)m | stats count as A

              | appendcols [search index=anIndex sourcetype=aSourceType StringB -(anInt)m latest=-(anInt+aSpan)m | stats count as B ]

              | eval _time = relative_time(now(), "-(anInt)m@m")

              | eval percentage = round((A / B) * 100)

              | + fields _time, percentage   

}

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-07-2021 05:42 AM

It's again the https://community.splunk.com/t5/Splunk-Search/Timechart-of-a-percentage-using-data-from-X-hours-ago/... topic? 🙂

I still think you're not telling us what you want to achieve but what you're trying to force splunk to do.

I understand that you want to calculate some stats based on how many times StringA appears in events with sourcetype=A and how many times StringB appears in events with sourcetype=B.

But what is the desired result. Tell us what is this supposed to represent.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-07-2021 05:39 AM

Does this work for you?

index=anIndex sourcetype=aSource StringA earliest=-480m latest=-240m
| bin _time span=30m
| stats count as A

| appendcols [search index=anIndex sourcetype=aSouce StringB earliest=-480m latest=-240m 
| bin _time span=30m
| stats count as B ]

| eval _time = relative_time(now(), "-240m@m")

| eval percentage = round(( A / B) * 100)

| fields + _time, percentage
0 Karma
Reply
Solved! Jump to solution

sjringo
Contributor
‎10-07-2021 06:10 AM

I added ( | bin _time span=30m) and the results were one percentage calculation.  What I am looking for is the percentage calculation over time .  I am looking for results like this, lets assume we run the query at 4 AM.  Starting @ midnight then moving forward till we get till 4 AM.

_time                                                Percentage                               earliest                           latest

2021-10-07 00:00:00                P1                                                 -480                                -240

2021-10-07 00:30:00                P2                                                 -450                                -210

2021-10-07 01:00:00                P3                                                 -420                                -180

2021-10-07 04:00:00                PX                                                 -240                                -0

Then I would use the timechart on ( _time, Percentage) which would show me how the percentage moves up/down every 30 mins from midnight till 4 AM.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-07-2021 06:17 AM

Sorry I missed the by _time out

index=anIndex sourcetype=aSource StringA earliest=-480m latest=-240m
| bin _time span=30m
| stats count as A by _time

| appendcols [search index=anIndex sourcetype=aSouce StringB earliest=-480m latest=-240m 
| bin _time span=30m
| stats count as B by _time]

| eval _time = relative_time(now(), "-240m@m")

| eval percentage = round(( A / B) * 100)

| fields + _time, percentage
0 Karma
Reply
Solved! Jump to solution

sjringo
Contributor
‎10-07-2021 07:01 AM

Much, Much better...  One thing is that _time is the same for each percentage result, which makes sense since the _time eval is:

| eval _time = relative_time(now(), "-240m@m")

How would I make it move in 30 minute intervals which is the bin span ? 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-07-2021 07:05 AM

Try removing that line

Reply
Solved! Jump to solution

sjringo
Contributor
‎10-07-2021 07:14 AM

That did the trick.  Once again thanks for your help!

My procedural brain was just not seeing the problem correctly...

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-07-2021 09:50 AM

Yes, SPL is not procedural, although there are ways to do loops of a sort, but they wouldn't have helped in your case.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...