Splunk Search

how to make 'for loop' in splunk query

leejaeyong
Engager

For all row, how can i make splunk query following 'for loop'?

for(i=1, i<100, i=i+1)
{
    factor1_prev=factor1_min+factor1_hierarchy_flag*(i-1)
    factor1_pv=factor1_min+factor1_hierarchy_flag*i
    factor1_next=factor1_min+factor1_hierarchy_flag*(i+1)

    case(factor1_prev<factor1_pv<factor1_next)
    factor1_hierarchy=i
    case(factor1_pv>factor1_max)
    return 0
}
0 Karma

MuS
Legend

Hi leejaeyong,

you can try this:

| makeresults count=100 
| streamstats count AS foo 
| eval factor1_min=(random() % 100) /2, factor1_hierarchy_flag=(random() % 100) +2 
| rename comment AS "This ^^^ just creates dummy data" 
| eval factor1_prev=factor1_min+factor1_hierarchy_flag*(foo-1),
    factor1_pv=factor1_min+factor1_hierarchy_flag*foo,
    factor1_next=factor1_min+factor1_hierarchy_flag*(foo+1),
    factor1_hierarchy=case(factor1_prev < factor1_pv AND factor1_pv <factor1_next, foo, factor1_pv>factor1_max, 0, true(), "unknonw")

Everything up until the rename command creates just dummy events, and the last eval will be your loop over the 100 events. In this example foo is your i in your code.

Hope this helps ...

cheers, MuS

PS: I noticed that in your example factor1_max is missing that's why the last case() statement never will match.

0 Karma

leejaeyong
Engager

'MuS' thank you
but i think that did not communicate my problem in sufficient quantity.

My final purpose is factor1 grouping.
I want somebody see before / after search result and code.

*befor search result
factor1 | factor1_hierarchy_flag | factor1_hierarchy_level | factor1_min | factor1_max
num1 | NumA | 100 | NumB | NumC
num2 | NumA | 100 | NumB | NumC
num3 | NumA | 100 | NumB | NumC
num4 | NumA | 100 | NumB | NumC
num5 | NumA | 100 | NumB | NumC
num6 | NumA | 100 | NumB | NumC
num7 | NumA | 100 | NumB | NumC
num8 | NumA | 100 | NumB | NumC
num9 | NumA | 100 | NumB | NumC
num10 | NumA | 100 | NumB | NumC
… | … | … | … | …

*wanted query

factor1_hierarchy_level = 100
factor1_refference_value = 'one of all factor1 number'    

    for(i=1, i<=factor1_hierarchy_level, i=i+1)
    {
        factor1_prev=factor1_min+factor1_hierarchy_flag*(i-1)
        factor1_next=factor1_min+factor1_hierarchy_flag*(i)

        case(factor1_prev<factor1_refference_value<factor1_next)
        factor1_grouping=i
        case(factor1_pv>factor1_max)
        return 0
     }

*after search result(grouping colunm creating)
factor1 | factor1_hierarchy_flag | factor1_hierarchy_level | factor1_min | factor1_max | factor1_grouping
num1 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num2 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num3 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num4 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num5 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num6 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num7 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num8 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num9 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num10 | NumA | 100 | NumB | NumC | one of number from 1 to 100
… | … | … | … | … | …

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...