topic Re: How can I format field with relative fieldname ? in Splunk Search

How can I format field with relative fieldname ?

Chaser — Thu, 22 Dec 2022 04:46:18 GMT

My task is format field "app" with relative fieldname

How can I use format command to format as example: (app=*app1* OR app=*app2* OR *app3* OR ...)

please help me, thanks

Re: How can I format field with relative fieldname ?

yuanliu — Thu, 22 Dec 2022 04:48:00 GMT

What is a "relative fieldname"? What do the asterisks (*) in your example represent? What is the data like, or the output of your search like? (Or what do raw data look like and your search look like?)

Re: How can I format field with relative fieldname ?

Chaser — Thu, 22 Dec 2022 06:22:44 GMT

fieldname is app, I mean, data have an app named Microsoft.sharepoint, but I input "sharepoint" it's still worked and it's understood Microsoft.sharepoint

Re: How can I format field with relative fieldname ?

Chaser — Thu, 22 Dec 2022 06:27:58 GMT

the asterisk(*) mean: if search *sharepoint*, it will show all of result have "sharepoint"

Re: How can I format field with relative fieldname ?

yuanliu — Thu, 22 Dec 2022 06:38:16 GMT

Something like this?

| makeresults | fields - _time | eval app = mvappend("*app1*", "*app2*") | format

Re: How can I format field with relative fieldname ?

Chaser — Thu, 22 Dec 2022 06:47:42 GMT

the result like picture on above, but I want all double quote (") transfer to asterisk (*), can you help me

Re: How can I format field with relative fieldname ?

yuanliu — Thu, 22 Dec 2022 08:10:03 GMT

The easiest, and in my opinion semantically the most explicit, method would be to enter asterisks into the lookup table.

If you cannot change the table (I don't see any obstacle to that but), you can just alter it after inputlookup.

| inputlookup app_whitelist.csv | fields app | eval app = "*" . app . "*" ``` assuming app is single valued ``` | format

Re: How can I format field with relative fieldname ?

Chaser — Thu, 22 Dec 2022 09:15:29 GMT

Can I completely replace double quotes with asterisks ?

Re: How can I format field with relative fieldname ?

yuanliu — Thu, 22 Dec 2022 17:18:56 GMT

The output is just a string, and search is the field name. Yes you can use string manipulation to change anything, like

| rex mode=sed field=search "s/\"//g" ``` this only works if app values do not include quotation marks ```

But why? Not only is this unnecessary, it is wrong in terms of code hygiene. Splunk already gives you the necessary and sufficient syntax so it doesn't matter what is in the fields being formatted the search term will be faithful to the requirement. Stripping quotes only makes it less stable.