topic Re: How to create a new field from the value of another field? in Splunk Search

How to create a new field from the value of another field?

rwiley — Mon, 14 Nov 2016 15:14:06 GMT

i have a search with these results.

description,     stringValue
datetime,        "epoc time"
zone,            "zonename"
network,         "networkname"
etc,             etc

i want to create a field called date from string value when description = datetime and a field called NetworkZone from stringvalue when description = network get stringvalue "_" when value = zone get string value

so datetime form date time and "network_zone" from network and zone.

i have used eval to combine fields but not to use the values as a new field. not sure if it is possible. thanks for any help.

Re: How to create a new field from the value of another field?

somesoni2 — Mon, 14 Nov 2016 15:27:10 GMT

How about this? This should create a new field with name same as value of the field description and value of this new field will be same as field stringValue.

your base search | eval "{description}"=stringValue

Re: How to create a new field from the value of another field?

gcusello — Mon, 14 Nov 2016 15:37:15 GMT

Hi rwiley,
try something like this:

| eval date=if(description="datetime",stringValue,""), NetworkZone=if(description="network","__",if(value="zone",stringValue,"")

I'm not sure to have understood the second condition.
Bye.
Giuseppe

Re: How to create a new field from the value of another field?

rwiley — Mon, 14 Nov 2016 15:38:39 GMT

that will create a new field but i only want the value of stringvalue when the description = a certain value.

so i need a field called network_zone where it only pulls the network name and zone name. and a date field that only gets the stringValue when description = date. something like this.

decription, stringValue
date, date
network, networkname
zone, zonename

new fields
date, netoworkzone
date, "networkname"+"_"+"zonename"

Re: How to create a new field from the value of another field?

somesoni2 — Mon, 14 Nov 2016 15:58:33 GMT

In that case, you will need to create a separate eval for each new field which will populate it conditionally. Also, you want to merge two events which has network and zone as one value, so that would add extra step. See if something like this works for you.

your base search | eval description=if(description="network" OR description="zone","network_zone",description) 
|stats values(stringValue) as stringValue by description delim="_" | nomv stringValue
| eval date=if(description="date",stringValue,null()) | eval network_zone=if(description="network_zone",stringValue,null()) | ...any other combination...

Give this a try as well.

your base search | eval description=if(description="network" OR description="zone","network_zone",description) 
| stats values(stringValue) as stringValue by description delim="_" 
| nomv stringValue | eval temp=1 
| xyseries temp description stringValue | fields - temp

Re: How to create a new field from the value of another field?

rwiley — Tue, 15 Nov 2016 16:43:28 GMT

this is getting the fields created. the networkzone field is only bringing in the underscore. i am working with it to see if it will give me exactly what i need. thanks.