topic Re: How do you treat a variable value as another field with Splunk? in Splunk Search

How do you treat a variable value as another field with Splunk?

derekho55 — Tue, 29 Sep 2020 22:44:18 GMT

I have a field named "object_XXX_property", where XXX string is dynamically generated and is held in another field named "entity". I want to get at the object property field and have it on a table. I figured that I probably need an intermediate variable to handle the dynamically generated field name:

<code>base search | eval cn="objects_".entity."_property"|.. </code>

How can I get my cn variable to display the value of the object_property field with Splunk?

Re: How do you treat a variable value as another field with Splunk?

renjith_nair — Tue, 29 Sep 2020 22:44:45 GMT

@derekho55 ,

base search | eval object_{entity}_property="your value"

This will create field names with object_abc_property,object_xyz_property etc where abc & xyz are your entity values

Re: How do you treat a variable value as another field with Splunk?

derekho55 — Tue, 29 Sep 2020 22:41:40 GMT

Thanks for your response. I don't want to create a field named object_{entity}_property; it already exists as a field with a value in it that I want to extract.

I've been trying with

| eval cn = object_{entity}_property| table cn but it wont work.

Straight up base search |table object_{entity}_property didn't work either.

Re: How do you treat a variable value as another field with Splunk?

woodcock — Fri, 11 Jan 2019 18:36:56 GMT

Like this:

| makeresults 
| eval entity = "foo" 
| eval object_foo_property = "correct"
| eval object_bar_property = "wrong"
| eval object_bat_property = "wrong"

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| eval cn="NO_MATCH"
| foreach object_*_property [ eval cn=if((entity="<<MATCHSTR>>"), <<FIELD>>, cn) ]

Do note that this also "works" but apparently is not what you desire (because it is the inverse):

| makeresults 
| eval entity = "foo" 

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| eval object_{entity}_property = "bar"

Re: How do you treat a variable value as another field with Splunk?

woodcock — Fri, 11 Jan 2019 18:38:27 GMT

Now that I "get it", this is a GREAT question.

Re: How do you treat a variable value as another field with Splunk?

derekho55 — Fri, 11 Jan 2019 21:49:26 GMT

thank you very much. This was what I was looking for. Got my query with some minor modifications on this.

Re: How do you treat a variable value as another field with Splunk?

woodcock — Fri, 11 Jan 2019 22:10:32 GMT

It was a fun problem to solve.

Re: How do you treat a variable value as another field with Splunk?

woodcock — Fri, 11 Jan 2019 23:34:03 GMT

It always looks so easy when you see the trick.