topic Re: {} equivalent on right hand side of eval in Splunk Search

{} equivalent on right hand side of eval

usd0872 — Fri, 10 Dec 2021 12:36:14 GMT

I hate hardcoding dynamic things. Sooner or later those thing break. I have data with fields

... forecast_2020=400, forecast_2021=500, forecast_2022=650, forecast_2023=800 ...

and in some search I need to use the correct forecast for the current year.

What I could do is

... | eval year=strftime(now(),"%Y"), forecast=case(year==2021, forecast_2021, year==2022, forecast_2022, year==2023, forecast_2023, 1==1, 0)

This definitely results in problems in 2024; by then I will have a field forecast_2024 but nobody will remember to update the search.

I'd rather use something along these lines:

... | eval year=strftime(now(),"%Y"), forecast=coalesce(forecast_{year}, 0)

However, the {} trick can only be used on the left hand side in eval. Is there any similar cool trick which works on the right hand side?

Re: {} equivalent on right hand side of eval

ITWhisperer — Fri, 10 Dec 2021 12:38:59 GMT

Not exactly since it still uses {} on the left, but using foreach you could do this

| makeresults | eval year=strftime(now(),"%Y") | eval forecast_2021=random()%100 | eval year_{year}=year | foreach year_* [| eval forecast=coalesce(forecast_<<MATCHSTR>>,0)]

Re: {} equivalent on right hand side of eval

PickleRick — Fri, 10 Dec 2021 13:09:28 GMT

Ugly but should work. Use foreach.

For example:

| makeresults count=3
| eval a1=2,a2=5,a3=8
| streamstats count
| foreach a* 
   [ eval result=if (<<MATCHSTR>> = count,<<FIELD>>,result)]

Adjust to your needs (make the condition reference current year) and you're good to go.

Re: {} equivalent on right hand side of eval

usd0872 — Fri, 10 Dec 2021 14:15:43 GMT

Bingo! A good way to achieve the result. It fits my need perfectly, I just could not think of it myself. Thank you.

Re: {} equivalent on right hand side of eval

usd0872 — Fri, 10 Dec 2021 14:19:09 GMT

Yep, foreach is the way to solve this. Thank you.