topic Re: How to dynamically compare and come up with new fields in Splunk Search

How to dynamically compare and come up with new fields

yoshilog — Wed, 31 Mar 2021 05:52:05 GMT

Using the extract function, I can arrive with the below columns:

I need to compare the values, and come up with a new field like r1, r2, r3 which says whether it's same or not.

I'm thinking of using eval function and then if statements to compare the two values but I'm not sure how to do it in such a way that will apply to all columns with titles beginning with "q" and "a".

I was thinking of using foreach loop but it seems that the foreach loop has very specific usecases that doesn't apply to mine.

The dilemma is that I need to do this dynamically, because it's possible that in other rows, there will be data reaching up to q5... q10... etc.

Is there a specific command for what I want to do?

Re: How to dynamically compare and come up with new fields

manjunathmeti — Wed, 31 Mar 2021 06:24:44 GMT

hi @yoshilog,

You can use foreach command with <<MATCHSTR>> instead of <<FIELD>>. You need to make sure that suffixes of fields a<SUFFIX> and q<SUFFIX> should be the same.
Try this:

| makeresults | eval afield1=4, afield2=2, afield3=8, afield4=10, qfield1=1, qfield2=2, qfield3=3, qfield4=10 | foreach a* [ eval r<<MATCHSTR>>=if(a<<MATCHSTR>>=q<<MATCHSTR>>, "EQUAL", "NOT EQUAL")]

If this reply helps you, a like would be appreciated.

Re: How to dynamically compare and come up with new fields

bowesmana — Wed, 31 Mar 2021 09:40:43 GMT

Building on @manjunathmeti reply, to avoid having to deal with 'a' fields that are not part of your checking, you can use foreach like this, where <<FIELD>> is the number in the foreach comand

| makeresults | eval n=mvrange(1,51) | eval Results="Yes,No" | mvexpand n | eval a{n}=mvindex(split(Results,","), random() % 2) | eval q{n}=mvindex(split(Results,","), random() % 2) | stats values(a*) as a* values(q*) as q* | foreach 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 [ eval r<<FIELD>>=if(a<<FIELD>>=q<<FIELD>>, "Equal", "Not Equal") ]

This creates 50 fields with a random a/q yes/no variant then compares each of them

Re: How to dynamically compare and come up with new fields

yoshilog — Mon, 05 Apr 2021 02:49:18 GMT

Thank you for creating a dynamic example! It worked.

Re: How to dynamically compare and come up with new fields

yoshilog — Mon, 05 Apr 2021 02:49:35 GMT

Thank you for sharing. It worked!