topic Re: similar field names function in Splunk Search

Is there a way to "automate" similar field names function?

jbanAtSplunk — Mon, 12 Sep 2022 03:09:24 GMT

Hi,

Just curios if this is possible as I have interesting challenge.

So, I have extracted fields, key=value

id0=0000, id1=1111, id2=2222,inN=NNNN,zone0=zone0,zone1=zone1,zone2=zone2,zoneN=zoneN
Now I want to create new field that is like this just number AutoIncrements
| eval example0 = id0 + " location:" + zone0

My challenge is, how to make that more "automatic" as I don't know the number "N" in event and want to automate this new field so for every exampleN i have the same eval example.
I mean it'll be a little more complicated as I'll create some case statement in eval but inital challange is how to automate it on simpler just string scenario.

Re: similar field names function

bowesmana — Sun, 11 Sep 2022 23:56:25 GMT

Use foreach. This example demonstrates how to do it, you can run it in the search window, but the last line is the one you want.

| makeresults ``` Create some dummy data with a random number of n ``` | eval n=mvrange(0, random() % 10, 1) | mvexpand n | eval id{n}=printf("%04d", random() % 10000), zone{n}=printf("zone%d", n) ``` Join all these values back to a single row ``` | stats values(*) as * | fields - n ``` Now we have the dummy data, use foreach ``` | foreach id* [ eval "example<<MATCHSTR>>"='<<FIELD>>'." location:".'zone<<MATCHSTR>>' ]

Re: similar field names function

bowesmana — Sun, 11 Sep 2022 23:59:50 GMT

This is one of the great things you can do, if you use a well defined field naming convention. As you can see in this example, the * in the foreach statement will 'capture' the matching part of the string, so 0, 1, 2 etc from the name of the id field.

This captured value is then substituted when the <<MATCHSTR>> operator is used.

Note that it is important to use single quotes round the right hand side of the eval statement fields, so it can handle field names containing odd characters - although not critical in your case, but a useful practice.

Re: similar field names function

jbanAtSplunk — Mon, 12 Sep 2022 10:15:56 GMT

I don't think that that is what I need. Stats are not good for my use case in that early stage.

Basically, what I did with 15 evals is building an variable that is comma separated string as then it's makemv and mvexpand.

As I need all this id0,id1,id2... expanded as id.
basically,
id0=0000, id1=1111, id2=2222,inN=NNNN,zone0=zone0,zone1=zone1,zone2=zone2,zoneN=zoneN

That one event need's to become/expand to N events
--id---|--zone--
0000|zone0
1111|zone1
2222|zone2
NNNN|zoneN

Now I can map and create automatic allowlist rule base on case if logic, logic is not that hard to write. End result is like.
"Allowlist id=" + id + " zone=" + zone + " URL=" + url ...

Re: similar field names function

jbanAtSplunk — Mon, 12 Sep 2022 10:55:41 GMT

Sry, It's working. I needed only this ForEach command.