Splunk Search

how to make loop in splunk query

leejaeyong
Engager

My final purpose is factor1 grouping.
I want somebody see before / after search result and code.

how to make for loop in splunk query?

*befor search result
factor1 | factor1_hierarchy_flag | factor1_hierarchy_level | factor1_min | factor1_max
num1 | NumA | 100 | NumB | NumC
num2 | NumA | 100 | NumB | NumC
num3 | NumA | 100 | NumB | NumC
num4 | NumA | 100 | NumB | NumC
num5 | NumA | 100 | NumB | NumC
num6 | NumA | 100 | NumB | NumC
num7 | NumA | 100 | NumB | NumC
num8 | NumA | 100 | NumB | NumC
num9 | NumA | 100 | NumB | NumC
num10 | NumA | 100 | NumB | NumC
… | … | … | … | …

*wanted query

factor1_hierarchy_level = 100
factor1_refference_value = 'one of all factor1 number'    

  for(i=1, i<=factor1_hierarchy_level, i=i+1)
 {
     factor1_prev=factor1_min+factor1_hierarchy_flag*(i-1)
     factor1_next=factor1_min+factor1_hierarchy_flag*(i)

     case(factor1_prev<factor1_refference_value<factor1_next)
     factor1_grouping=i
     case(factor1_pv>factor1_max)
     return 0
}

*after search result
factor1 | factor1_hierarchy_flag | factor1_hierarchy_level | factor1_min | factor1_max | factor1_grouping
num1 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num2 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num3 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num4 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num5 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num6 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num7 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num8 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num9 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num10 | NumA | 100 | NumB | NumC | one of number from 1 to 100
… | … | … | … | … | …

0 Karma
1 Solution

maciep
Champion

So when wanting to loop in Splunk, I typically try to take advantage of the fact that splunk is already looping through my events. But sometimes to do that, you have to use spl to add/remove/modify events in order to have the right result set to then take advantage of that inherent looping. It took me a while to get it, but i really think of spl as more like jiu jitsu to programming's boxing...if that makes any sense.

So in this case, i would probably do something like this:

  1. For each event, create a multi-value field with numbers ranging from 1 to 100
  2. Then i would mvexpand that field - so now each original event is actually 100 events - the only difference between them is the new number field (your i iterator)
  3. So now splunk will inherently loop for me
  4. So i can calculate whatever that is that's inside your loop, and drop it in a new field for that event
  5. Then, i can filter my events similarly to your case statements
  6. and then when done, should similar to your desired output i think

Maybe something like this:

<your search>
| eval i = mvrange(1,100)
| mvexpand i
| eval reference = 50, prev=factor1_min+factor1_hierarchy_flag*(i-1), next=factor1_min+factor1_hierarchy_flag*(i)
| eval keep = case(next > reference AND prev < reference, 1)
| where keep=1
| fields - keep
| rename i AS factor1_grouping

Honestly, i have no idea what you're actually doing in your calculations or what that reference value is, and so not sure if this search produces the expected results. But hopefully it at least gives you an idea of how i would handle the looping part of the question. It's all about manipulating your result set with SPL until you have something that will work for splunk's inherent looping.

View solution in original post

maciep
Champion

So when wanting to loop in Splunk, I typically try to take advantage of the fact that splunk is already looping through my events. But sometimes to do that, you have to use spl to add/remove/modify events in order to have the right result set to then take advantage of that inherent looping. It took me a while to get it, but i really think of spl as more like jiu jitsu to programming's boxing...if that makes any sense.

So in this case, i would probably do something like this:

  1. For each event, create a multi-value field with numbers ranging from 1 to 100
  2. Then i would mvexpand that field - so now each original event is actually 100 events - the only difference between them is the new number field (your i iterator)
  3. So now splunk will inherently loop for me
  4. So i can calculate whatever that is that's inside your loop, and drop it in a new field for that event
  5. Then, i can filter my events similarly to your case statements
  6. and then when done, should similar to your desired output i think

Maybe something like this:

<your search>
| eval i = mvrange(1,100)
| mvexpand i
| eval reference = 50, prev=factor1_min+factor1_hierarchy_flag*(i-1), next=factor1_min+factor1_hierarchy_flag*(i)
| eval keep = case(next > reference AND prev < reference, 1)
| where keep=1
| fields - keep
| rename i AS factor1_grouping

Honestly, i have no idea what you're actually doing in your calculations or what that reference value is, and so not sure if this search produces the expected results. But hopefully it at least gives you an idea of how i would handle the looping part of the question. It's all about manipulating your result set with SPL until you have something that will work for splunk's inherent looping.

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...