Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to convert the for loop in to splunk search

beenagulzar
New Member
‎02-15-2017 01:38 AM

i have a for loop statement need to get converted to splunk query .. i am not aware how to store the variable and use that in later search kindly need expert advice .

Here is the query
need to find the response time for the channel transaction
csv file has the following data :

Channel type time
channeltxn1 2210 09:10:00
channelmpn2 2210 09:12:15
channeltxn3 2210 10:12:00
channeltxn5 2210 12:00:00

channeltxn1 2100 10:16:00
channeltxn3 2100 11:11:00
channeltxn5 2100 11:15:00

for each unique Channel in to resultvalue where Channel=channeltxn* and type=2100
Responsetime ( (time where type=2210 and channel=resultvalue)- ( time where type=2100 and channel=resultvalue)) group by time in hour .

i can get the query for the first search but not aware how to store the value to resultvalue and get inside the loop for comparison. kindly need your help .

Thanks in advance.

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-15-2017 05:02 AM

Splunk doesn't do loops, searches work differently. Here's an approach, partly in pseudo-SPL:

| inputlookup your_lookup_here
... format the HH:MM:SS time into actual epoch values ...
| stats range(epoch_field) as duration values(type) as types by Channel

That will compute the difference between the smallest and largest time for each Channel, assuming each channel has exactly one request and response type. The values() will give you a list of types present for that Channel, mostly for checking/debugging.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...