Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: how to make loop in splunk query
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
leejaeyong
Engager
05-09-2019
03:09 AM
My final purpose is factor1 grouping.
I want somebody see before / after search result and code.
how to make for loop in splunk query?
*befor search result
factor1 | factor1_hierarchy_flag | factor1_hierarchy_level | factor1_min | factor1_max
num1 | NumA | 100 | NumB | NumC
num2 | NumA | 100 | NumB | NumC
num3 | NumA | 100 | NumB | NumC
num4 | NumA | 100 | NumB | NumC
num5 | NumA | 100 | NumB | NumC
num6 | NumA | 100 | NumB | NumC
num7 | NumA | 100 | NumB | NumC
num8 | NumA | 100 | NumB | NumC
num9 | NumA | 100 | NumB | NumC
num10 | NumA | 100 | NumB | NumC
… | … | … | … | …
*wanted query
factor1_hierarchy_level = 100
factor1_refference_value = 'one of all factor1 number'
for(i=1, i<=factor1_hierarchy_level, i=i+1)
{
factor1_prev=factor1_min+factor1_hierarchy_flag*(i-1)
factor1_next=factor1_min+factor1_hierarchy_flag*(i)
case(factor1_prev<factor1_refference_value<factor1_next)
factor1_grouping=i
case(factor1_pv>factor1_max)
return 0
}
*after search result
factor1 | factor1_hierarchy_flag | factor1_hierarchy_level | factor1_min | factor1_max | factor1_grouping
num1 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num2 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num3 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num4 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num5 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num6 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num7 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num8 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num9 | NumA | 100 | NumB | NumC | one of number from 1 to 100
num10 | NumA | 100 | NumB | NumC | one of number from 1 to 100
… | … | … | … | … | …
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maciep
Champion
05-09-2019
04:37 PM
So when wanting to loop in Splunk, I typically try to take advantage of the fact that splunk is already looping through my events. But sometimes to do that, you have to use spl to add/remove/modify events in order to have the right result set to then take advantage of that inherent looping. It took me a while to get it, but i really think of spl as more like jiu jitsu to programming's boxing...if that makes any sense.
So in this case, i would probably do something like this:
- For each event, create a multi-value field with numbers ranging from 1 to 100
- Then i would mvexpand that field - so now each original event is actually 100 events - the only difference between them is the new number field (your i iterator)
- So now splunk will inherently loop for me
- So i can calculate whatever that is that's inside your loop, and drop it in a new field for that event
- Then, i can filter my events similarly to your case statements
- and then when done, should similar to your desired output i think
Maybe something like this:
<your search>
| eval i = mvrange(1,100)
| mvexpand i
| eval reference = 50, prev=factor1_min+factor1_hierarchy_flag*(i-1), next=factor1_min+factor1_hierarchy_flag*(i)
| eval keep = case(next > reference AND prev < reference, 1)
| where keep=1
| fields - keep
| rename i AS factor1_grouping
Honestly, i have no idea what you're actually doing in your calculations or what that reference value is, and so not sure if this search produces the expected results. But hopefully it at least gives you an idea of how i would handle the looping part of the question. It's all about manipulating your result set with SPL until you have something that will work for splunk's inherent looping.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maciep
Champion
05-09-2019
04:37 PM
So when wanting to loop in Splunk, I typically try to take advantage of the fact that splunk is already looping through my events. But sometimes to do that, you have to use spl to add/remove/modify events in order to have the right result set to then take advantage of that inherent looping. It took me a while to get it, but i really think of spl as more like jiu jitsu to programming's boxing...if that makes any sense.
So in this case, i would probably do something like this:
- For each event, create a multi-value field with numbers ranging from 1 to 100
- Then i would mvexpand that field - so now each original event is actually 100 events - the only difference between them is the new number field (your i iterator)
- So now splunk will inherently loop for me
- So i can calculate whatever that is that's inside your loop, and drop it in a new field for that event
- Then, i can filter my events similarly to your case statements
- and then when done, should similar to your desired output i think
Maybe something like this:
<your search>
| eval i = mvrange(1,100)
| mvexpand i
| eval reference = 50, prev=factor1_min+factor1_hierarchy_flag*(i-1), next=factor1_min+factor1_hierarchy_flag*(i)
| eval keep = case(next > reference AND prev < reference, 1)
| where keep=1
| fields - keep
| rename i AS factor1_grouping
Honestly, i have no idea what you're actually doing in your calculations or what that reference value is, and so not sure if this search produces the expected results. But hopefully it at least gives you an idea of how i would handle the looping part of the question. It's all about manipulating your result set with SPL until you have something that will work for splunk's inherent looping.
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Unlock What’s Next: The Splunk Cloud Platform at .conf25
In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...
