My final purpose is factor1 grouping.
I want somebody see before / after search result and code.
how to make for loop in splunk query?
*befor search result
factor1 | factor1_hierarchy_flag | factor1_hierarchy_level | factor1_min | factor1_max
num1 | NumA | 100 | NumB | NumC
num2 | NumA | 100 | NumB | NumC
num3 | NumA | 100 | NumB | NumC
num4 | NumA | 100 | NumB | NumC
num5 | NumA | 100 | NumB | NumC
num6 | NumA | 100 | NumB | NumC
num7 | NumA | 100 | NumB | NumC
num8 | NumA | 100 | NumB | NumC
num9 | NumA | 100 | NumB | NumC
num10 | NumA | 100 | NumB | NumC
… | … | … | … | …
*wanted query
factor1_hierarchy_level = 100
factor1_refference_value = 'one of all factor1 number'
for(i=1, i<=factor1_hierarchy_level, i=i+1)
{
factor1_prev=factor1_min+factor1_hierarchy_flag*(i-1)
factor1_next=factor1_min+factor1_hierarchy_flag*(i)
case(factor1_prev<factor1_refference_value<factor1_next)
factor1_grouping=i
case(factor1_pv>factor1_max)
return 0
}
*after search result
factor1 | factor1_hierarchy_flag | factor1_hierarchy_level | factor1_min | factor1_max | factor1_grouping
num1 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num2 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num3 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num4 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num5 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num6 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num7 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num8 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num9 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num10 | NumA | 100 | NumB | NumC | one of number from 1 to 100
… | … | … | … | … | …
So when wanting to loop in Splunk, I typically try to take advantage of the fact that splunk is already looping through my events. But sometimes to do that, you have to use spl to add/remove/modify events in order to have the right result set to then take advantage of that inherent looping. It took me a while to get it, but i really think of spl as more like jiu jitsu to programming's boxing...if that makes any sense.
So in this case, i would probably do something like this:
Maybe something like this:
<your search>
| eval i = mvrange(1,100)
| mvexpand i
| eval reference = 50, prev=factor1_min+factor1_hierarchy_flag*(i-1), next=factor1_min+factor1_hierarchy_flag*(i)
| eval keep = case(next > reference AND prev < reference, 1)
| where keep=1
| fields - keep
| rename i AS factor1_grouping
Honestly, i have no idea what you're actually doing in your calculations or what that reference value is, and so not sure if this search produces the expected results. But hopefully it at least gives you an idea of how i would handle the looping part of the question. It's all about manipulating your result set with SPL until you have something that will work for splunk's inherent looping.
So when wanting to loop in Splunk, I typically try to take advantage of the fact that splunk is already looping through my events. But sometimes to do that, you have to use spl to add/remove/modify events in order to have the right result set to then take advantage of that inherent looping. It took me a while to get it, but i really think of spl as more like jiu jitsu to programming's boxing...if that makes any sense.
So in this case, i would probably do something like this:
Maybe something like this:
<your search>
| eval i = mvrange(1,100)
| mvexpand i
| eval reference = 50, prev=factor1_min+factor1_hierarchy_flag*(i-1), next=factor1_min+factor1_hierarchy_flag*(i)
| eval keep = case(next > reference AND prev < reference, 1)
| where keep=1
| fields - keep
| rename i AS factor1_grouping
Honestly, i have no idea what you're actually doing in your calculations or what that reference value is, and so not sure if this search produces the expected results. But hopefully it at least gives you an idea of how i would handle the looping part of the question. It's all about manipulating your result set with SPL until you have something that will work for splunk's inherent looping.