Archive

How do I create a field whose name is the value of another field? Like backticks or eval() in other languages.

Motivator

I have a set of data, perhaps XML, perhaps 5.x+ PerfMon, and it's in this format:

aName=Field1 aValue=123
aName=Field1 aValue=234
aName=Field2 aValue=345
aName=Field2 aValue=456

I would love to do a | stats avg(Field1) avg(Field2) but I can't get at the values!

How can I create a field with the name of aName, and the value of aValue? This is very similar to backticks or the eval() function in other languages.

Tags (1)
1 Solution

Motivator

This does not seem to be documented anywhere, but you can use the curly braces to create fields that are based on field values. In the example above, run the following:

| eval {aName}=aValue

And you will end up with:

aName=Field1 aValue=123 Field1=123
aName=Field1 aValue=234 Field1=234
aName=Field2 aValue=345 Field2=345
aName=Field2 aValue=456 Field2=456

And now you can run stats on Field1 and Field2!

You can also append other text to the field names: | eval my{aName}=aValue would create myField1 and myField2 fields.

Naturally, beware using this on fields that have large numbers of values!

View solution in original post

Motivator

This does not seem to be documented anywhere, but you can use the curly braces to create fields that are based on field values. In the example above, run the following:

| eval {aName}=aValue

And you will end up with:

aName=Field1 aValue=123 Field1=123
aName=Field1 aValue=234 Field1=234
aName=Field2 aValue=345 Field2=345
aName=Field2 aValue=456 Field2=456

And now you can run stats on Field1 and Field2!

You can also append other text to the field names: | eval my{aName}=aValue would create myField1 and myField2 fields.

Naturally, beware using this on fields that have large numbers of values!

View solution in original post

Splunk Employee
Splunk Employee

Motivator

You're welcome. It looks like this only works on the left hand side of the equals sign though.

Path Finder

Yep, because on the right you don't need them 🙂

Great find, thank you!

0 Karma

New Member

Does it work for saved searches?

0 Karma

New Member

I found out how to fix my issue: the field value cannot be "-" as in my case.

0 Karma

Path Finder

Right because you aren't allowed to create a variable with that character alone.

0 Karma

Motivator

Wow that's huge, thanks Jason!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!