Solved: what can be used in SPL for decalre variables in S...

raghu0463 · ‎07-31-2017

im trying to write spl for one of the sql quires which has like declare variables and CTE tables im bit confused what to use in SPL for that.

example :

SQL - declare @prev date
SPL ?

SQL - declare @table1 table(col1 date)
SPL - ?

SQL -
with cte as
(select col1 from table1
union all
select dateadd(day,1,col1) from cte
where col1 < maxdate-1)

how to convert this SQL into SPL pls ?

thanks

DalJeanis · ‎07-31-2017

A recursive CTE, such as the one you posted, is a fantastic feature of a couple of variants of SQL, and are designed to solve specific problems. The basic answer is, you can't translate a recursive CTE directly. I want to make absolutely clear, the general answer to your general question is, "You CAN'T." You have to figure out what it is doing, and then analyze how to accomplish it in a different, splunky, way.

However, the GREAT news is that this particular CTE is merely accomplishing a task that in splunk is trivial. Specifically, "How do I create a list of dates from the value in col1 to one day less less than the value in maxdate?"

Here's the SPL code for that, assuming that Date1Epoch and Date2Epoch are both already in epoch format...

| eval mysetofdates=mvrange(Date1Epoch, Date2Epoch, 86400)

That creates a single field called mysetofdates that has the entire list, starting from Date1Epoch, and ending BEFORE Date2Epoch.

Now, how you use that multivalue field to meet the rest of your needs is going to depend on the rest of your requirements. You will probably end up using mvexpand, but after that it's anybody's guess.

View solution in original post

DalJeanis · ‎07-31-2017

A recursive CTE, such as the one you posted, is a fantastic feature of a couple of variants of SQL, and are designed to solve specific problems. The basic answer is, you can't translate a recursive CTE directly. I want to make absolutely clear, the general answer to your general question is, "You CAN'T." You have to figure out what it is doing, and then analyze how to accomplish it in a different, splunky, way.

However, the GREAT news is that this particular CTE is merely accomplishing a task that in splunk is trivial. Specifically, "How do I create a list of dates from the value in col1 to one day less less than the value in maxdate?"

Here's the SPL code for that, assuming that Date1Epoch and Date2Epoch are both already in epoch format...

| eval mysetofdates=mvrange(Date1Epoch, Date2Epoch, 86400)

That creates a single field called mysetofdates that has the entire list, starting from Date1Epoch, and ending BEFORE Date2Epoch.

Now, how you use that multivalue field to meet the rest of your needs is going to depend on the rest of your requirements. You will probably end up using mvexpand, but after that it's anybody's guess.

raghu0463 · ‎08-02-2017

here in the eval mysetofdates will hold all the dates right ?

DalJeanis · ‎08-03-2017

@raghu0463 - let's keep the questions and answers on the forum, where other people can benefit from them, and where I can ask friends for help if they go a direction that isn't my area. Feel free to link up with me on LinkedIn (https://www.linkedin.com/in/daljeanis) and ask me there if it's anything confidential, but at this level of questions, it's better to post it here.

Without seeing the rest of the SQL, I don't know why the CTE code is generating that list of dates. now() would be fine, assuming that the intention is to generate a list of dates from today to just less than some fixed future date.

With regard to your "rising column" question, please post that as a new question so it can get proper attention. Give it a title like "What would I use for rising column in this scenario...?".

Give us non-confidential details about the keys of the three tables, and what significant fields (dates, update date/time etc) are available in those columns. You can post the SQL, clipped back to basics as much as you can without affecting the actual joins, binds and tricky bits.

raghu0463 · ‎08-03-2017

@DalJeanis

when i was using
|eval mytime=mvrange(now()-86400*90,now(),86400)| eval date = strftime(mytime,"%y/%m/%d") | stats count(date)

im getting the count 59490 , but i think i should get 90. what is the error in the above commands pls

DalJeanis · ‎08-02-2017

@raghu0463 - Right, it will be a multivalue field with epoch values of the dates, such as the results of this code...

|makeresults | bin _time span=1d |eval mytime=mvrange(_time-86400*3,_time,86400)

...which looks like...

1501372800
1501459200
1501545600

raghu0463 · ‎08-03-2017

@DalJeanis, instead of using _time can i use now(), because _time changes for every event right ?

Thanks

raghu0463 · ‎08-02-2017

hello Daljeanis,

i tried to build spl for the first question, but im getting errors, im bit new to splunk. will you able to provide me your email id pls so that i can send my question to you.

thanks

raghu0463 · ‎08-02-2017

Hello DalJeanis,

I have one more question, im trying to ingest data from sql server tables (3) and also date from one view into splunk,
lets say A,B,C are table names
Z is view name
for table c the no.of records in the table are 76500, it has composite primary key. will i able to store all the records in one stretch. if not, what should i use in the rising column.

woodcock · ‎07-31-2017

It will be easier for us if you show us the event data and what you would like the final form to be.

raghu0463 · ‎07-31-2017

can i get ur email pls, so that i can send it you ..

woodcock · ‎08-01-2017

It is in my profile.

s2_splunk · ‎07-31-2017

You don't need to declare variables in Splunk. Just use them. | eval myVar = 12345 makes a new 'variable' (called a field in Splunk) that has a numeric value.
| eval myVar2 = "This is a string" makes a string. Easy. 🙂

raghu0463 · ‎08-01-2017

then how about the variable table pls ?

what can be used in SPL for decalre variables in SQL .

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...