Archive
Highlighted

How do I create a field whose name is the value of another field? Like backticks or eval() in other languages.

Motivator

I have a set of data, perhaps XML, perhaps 5.x+ PerfMon, and it's in this format:

aName=Field1 aValue=123
aName=Field1 aValue=234
aName=Field2 aValue=345
aName=Field2 aValue=456

I would love to do a | stats avg(Field1) avg(Field2) but I can't get at the values!

How can I create a field with the name of aName, and the value of aValue? This is very similar to backticks or the eval() function in other languages.

Tags (1)
Highlighted

Re: How do I create a field whose name is the value of another field? Like backticks or eval() in other languages.

Motivator

This does not seem to be documented anywhere, but you can use the curly braces to create fields that are based on field values. In the example above, run the following:

| eval {aName}=aValue

And you will end up with:

aName=Field1 aValue=123 Field1=123
aName=Field1 aValue=234 Field1=234
aName=Field2 aValue=345 Field2=345
aName=Field2 aValue=456 Field2=456

And now you can run stats on Field1 and Field2!

You can also append other text to the field names: | eval my{aName}=aValue would create myField1 and myField2 fields.

Naturally, beware using this on fields that have large numbers of values!

View solution in original post

Highlighted

Re: How do I create a field whose name is the value of another field? Like backticks or eval() in other languages.

Motivator

Wow that's huge, thanks Jason!

0 Karma
Highlighted

Re: How do I create a field whose name is the value of another field? Like backticks or eval() in other languages.

Motivator

You're welcome. It looks like this only works on the left hand side of the equals sign though.

Highlighted

Re: How do I create a field whose name is the value of another field? Like backticks or eval() in other languages.

New Member

Does it work for saved searches?

0 Karma
Highlighted

Re: How do I create a field whose name is the value of another field? Like backticks or eval() in other languages.

New Member

I found out how to fix my issue: the field value cannot be "-" as in my case.

0 Karma
Highlighted

Re: How do I create a field whose name is the value of another field? Like backticks or eval() in other languages.

Path Finder

Right because you aren't allowed to create a variable with that character alone.

0 Karma
Highlighted

Re: How do I create a field whose name is the value of another field? Like backticks or eval() in other languages.

Path Finder

Yep, because on the right you don't need them 🙂

Great find, thank you!

0 Karma
Highlighted

Re: How do I create a field whose name is the value of another field? Like backticks or eval() in other languages.

Splunk Employee
Splunk Employee