topic Evaluating dynamically generated field name in Splunk Search

Evaluating dynamically generated field name

hsingams2 — Thu, 25 Jan 2018 00:35:04 GMT

I've an event where some field "values" can be concatenated/evaluated to generate a field "name" that exists in the same event. I want to evaluate the generated field name to get its value.

A simple query to imitate this is below. How do I evaluate "foo" so that I get the value "johndoe" (ie "foo" is a reference/pointer to the user)
| stats count | eval user="johndoe" | eval foo="user"

Re: Evaluating dynamically generated field name

MuS — Thu, 25 Jan 2018 00:59:50 GMT

Hi hsingams2,

almost got it right 😉 Try this:

 | makeresults | eval user="johndoe" | eval foo="user" | eval foo2=user

by using "" around the user you tell eval to use user as a string, and by not using "" around user you tell eval to refer to another field called user.

Does that make sense?

Hope this helps ...

cheers, MuS

Re: Evaluating dynamically generated field name

hsingams2 — Thu, 25 Jan 2018 01:53:14 GMT

Thanks for the response. I understand that the calling without quotes would work.
The only issue is I can't use the user field directly. It has to be referenced through foo (i.e foo -> user -> johndoe)

My real life case is something similar to this:
... | eval foo=mvindex(split(somefield,"\n"),1)."/STATUS"

As you can see the "foo" here is dynamically generated and contains a field name as a string value (eg. "TEST00123/STATUS") that I want to evaluate.

Hope it makes sense.