Archive

How do you treat a variable value as another field with Splunk?

Explorer

I have a field named "objectXXXproperty", where XXX string is dynamically generated and is held in another field named "entity". I want to get at the object property field and have it on a table. I figured that I probably need an intermediate variable to handle the dynamically generated field name:

<code>base search | eval cn="objects_".entity."_property"|.. </code>

How can I get my cn variable to display the value of the object_property field with Splunk?

Tags (1)
1 Solution

Esteemed Legend

Like this:

| makeresults 
| eval entity = "foo" 
| eval object_foo_property = "correct"
| eval object_bar_property = "wrong"
| eval object_bat_property = "wrong"

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| eval cn="NO_MATCH"
| foreach object_*_property [ eval cn=if((entity="<<MATCHSTR>>"), <<FIELD>>, cn) ]

Do note that this also "works" but apparently is not what you desire (because it is the inverse):

| makeresults 
| eval entity = "foo" 

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| eval object_{entity}_property = "bar"

View solution in original post

Esteemed Legend

Now that I "get it", this is a GREAT question.

0 Karma

Esteemed Legend

Like this:

| makeresults 
| eval entity = "foo" 
| eval object_foo_property = "correct"
| eval object_bar_property = "wrong"
| eval object_bat_property = "wrong"

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| eval cn="NO_MATCH"
| foreach object_*_property [ eval cn=if((entity="<<MATCHSTR>>"), <<FIELD>>, cn) ]

Do note that this also "works" but apparently is not what you desire (because it is the inverse):

| makeresults 
| eval entity = "foo" 

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| eval object_{entity}_property = "bar"

View solution in original post

Explorer

thank you very much. This was what I was looking for. Got my query with some minor modifications on this.

Esteemed Legend

It always looks so easy when you see the trick.

0 Karma

Esteemed Legend

It was a fun problem to solve.

0 Karma

SplunkTrust
SplunkTrust

@derekho55 ,

base search | eval object_{entity}_property="your value"

This will create field names with objectabcproperty,objectxyzproperty etc where abc & xyz are your entity values

0 Karma

Explorer

Thanks for your response. I don't want to create a field named object{entity}property; it already exists as a field with a value in it that I want to extract.

I've been trying with

| eval cn = object_{entity}_property| table cn but it wont work.

Straight up base search |table object_{entity}_property didn't work either.

0 Karma