Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how to make 'for loop' in splunk query
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to make 'for loop' in splunk query
For all row, how can i make splunk query following 'for loop'?
for(i=1, i<100, i=i+1)
{
factor1_prev=factor1_min+factor1_hierarchy_flag*(i-1)
factor1_pv=factor1_min+factor1_hierarchy_flag*i
factor1_next=factor1_min+factor1_hierarchy_flag*(i+1)
case(factor1_prev<factor1_pv<factor1_next)
factor1_hierarchy=i
case(factor1_pv>factor1_max)
return 0
}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi leejaeyong,
you can try this:
| makeresults count=100
| streamstats count AS foo
| eval factor1_min=(random() % 100) /2, factor1_hierarchy_flag=(random() % 100) +2
| rename comment AS "This ^^^ just creates dummy data"
| eval factor1_prev=factor1_min+factor1_hierarchy_flag*(foo-1),
factor1_pv=factor1_min+factor1_hierarchy_flag*foo,
factor1_next=factor1_min+factor1_hierarchy_flag*(foo+1),
factor1_hierarchy=case(factor1_prev < factor1_pv AND factor1_pv <factor1_next, foo, factor1_pv>factor1_max, 0, true(), "unknonw")
Everything up until the rename command creates just dummy events, and the last eval will be your loop over the 100 events. In this example foo is your i in your code.
Hope this helps ...
cheers, MuS
PS: I noticed that in your example factor1_max is missing that's why the last case() statement never will match.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
'MuS' thank you
but i think that did not communicate my problem in sufficient quantity.
My final purpose is factor1 grouping.
I want somebody see before / after search result and code.
*befor search result
factor1 | factor1_hierarchy_flag | factor1_hierarchy_level | factor1_min | factor1_max
num1 | NumA | 100 | NumB | NumC
num2 | NumA | 100 | NumB | NumC
num3 | NumA | 100 | NumB | NumC
num4 | NumA | 100 | NumB | NumC
num5 | NumA | 100 | NumB | NumC
num6 | NumA | 100 | NumB | NumC
num7 | NumA | 100 | NumB | NumC
num8 | NumA | 100 | NumB | NumC
num9 | NumA | 100 | NumB | NumC
num10 | NumA | 100 | NumB | NumC
… | … | … | … | …
*wanted query
factor1_hierarchy_level = 100
factor1_refference_value = 'one of all factor1 number'
for(i=1, i<=factor1_hierarchy_level, i=i+1)
{
factor1_prev=factor1_min+factor1_hierarchy_flag*(i-1)
factor1_next=factor1_min+factor1_hierarchy_flag*(i)
case(factor1_prev<factor1_refference_value<factor1_next)
factor1_grouping=i
case(factor1_pv>factor1_max)
return 0
}
*after search result(grouping colunm creating)
factor1 | factor1_hierarchy_flag | factor1_hierarchy_level | factor1_min | factor1_max | factor1_grouping
num1 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num2 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num3 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num4 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num5 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num6 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num7 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num8 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num9 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num10 | NumA | 100 | NumB | NumC | one of number from 1 to 100
… | … | … | … | … | …
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
