Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: how to make loop in splunk query
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My final purpose is factor1 grouping.
I want somebody see before / after search result and code.
how to make for loop in splunk query?
*befor search result
factor1 | factor1_hierarchy_flag | factor1_hierarchy_level | factor1_min | factor1_max
num1 | NumA | 100 | NumB | NumC
num2 | NumA | 100 | NumB | NumC
num3 | NumA | 100 | NumB | NumC
num4 | NumA | 100 | NumB | NumC
num5 | NumA | 100 | NumB | NumC
num6 | NumA | 100 | NumB | NumC
num7 | NumA | 100 | NumB | NumC
num8 | NumA | 100 | NumB | NumC
num9 | NumA | 100 | NumB | NumC
num10 | NumA | 100 | NumB | NumC
… | … | … | … | …
*wanted query
factor1_hierarchy_level = 100
factor1_refference_value = 'one of all factor1 number'
for(i=1, i<=factor1_hierarchy_level, i=i+1)
{
factor1_prev=factor1_min+factor1_hierarchy_flag*(i-1)
factor1_next=factor1_min+factor1_hierarchy_flag*(i)
case(factor1_prev<factor1_refference_value<factor1_next)
factor1_grouping=i
case(factor1_pv>factor1_max)
return 0
}
*after search result
factor1 | factor1_hierarchy_flag | factor1_hierarchy_level | factor1_min | factor1_max | factor1_grouping
num1 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num2 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num3 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num4 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num5 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num6 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num7 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num8 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num9 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num10 | NumA | 100 | NumB | NumC | one of number from 1 to 100
… | … | … | … | … | …
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So when wanting to loop in Splunk, I typically try to take advantage of the fact that splunk is already looping through my events. But sometimes to do that, you have to use spl to add/remove/modify events in order to have the right result set to then take advantage of that inherent looping. It took me a while to get it, but i really think of spl as more like jiu jitsu to programming's boxing...if that makes any sense.
So in this case, i would probably do something like this:
- For each event, create a multi-value field with numbers ranging from 1 to 100
- Then i would mvexpand that field - so now each original event is actually 100 events - the only difference between them is the new number field (your i iterator)
- So now splunk will inherently loop for me
- So i can calculate whatever that is that's inside your loop, and drop it in a new field for that event
- Then, i can filter my events similarly to your case statements
- and then when done, should similar to your desired output i think
Maybe something like this:
<your search>
| eval i = mvrange(1,100)
| mvexpand i
| eval reference = 50, prev=factor1_min+factor1_hierarchy_flag*(i-1), next=factor1_min+factor1_hierarchy_flag*(i)
| eval keep = case(next > reference AND prev < reference, 1)
| where keep=1
| fields - keep
| rename i AS factor1_grouping
Honestly, i have no idea what you're actually doing in your calculations or what that reference value is, and so not sure if this search produces the expected results. But hopefully it at least gives you an idea of how i would handle the looping part of the question. It's all about manipulating your result set with SPL until you have something that will work for splunk's inherent looping.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So when wanting to loop in Splunk, I typically try to take advantage of the fact that splunk is already looping through my events. But sometimes to do that, you have to use spl to add/remove/modify events in order to have the right result set to then take advantage of that inherent looping. It took me a while to get it, but i really think of spl as more like jiu jitsu to programming's boxing...if that makes any sense.
So in this case, i would probably do something like this:
- For each event, create a multi-value field with numbers ranging from 1 to 100
- Then i would mvexpand that field - so now each original event is actually 100 events - the only difference between them is the new number field (your i iterator)
- So now splunk will inherently loop for me
- So i can calculate whatever that is that's inside your loop, and drop it in a new field for that event
- Then, i can filter my events similarly to your case statements
- and then when done, should similar to your desired output i think
Maybe something like this:
<your search>
| eval i = mvrange(1,100)
| mvexpand i
| eval reference = 50, prev=factor1_min+factor1_hierarchy_flag*(i-1), next=factor1_min+factor1_hierarchy_flag*(i)
| eval keep = case(next > reference AND prev < reference, 1)
| where keep=1
| fields - keep
| rename i AS factor1_grouping
Honestly, i have no idea what you're actually doing in your calculations or what that reference value is, and so not sure if this search produces the expected results. But hopefully it at least gives you an idea of how i would handle the looping part of the question. It's all about manipulating your result set with SPL until you have something that will work for splunk's inherent looping.
.conf25 Global Broadcast: Don’t Miss a Moment
Observe and Secure All Apps with Splunk
What's New in Splunk Observability - August 2025
