Solved: Replacing $var$ with var

nightflame · ‎10-23-2017

The `notable` macro returns a field drilldown_search with the variables $user$ and $dest" embedded in it.

I would like to make use of this elsewhere and replace $user$ and $dest$ will the values of those fields respectively.

Is there a simple way in SPL to tell Splunk to substitute $var$ for var?

The best I have come up with is:

`notable`
| eval drilldown_search = if(like(drilldown_search,"%$user$%"), replace(drilldown_search,"\$user\$", user), drilldown_search)
| eval drilldown_search = if(like(drilldown_search,"%$dest$%"), replace(drilldown_search,"\$dest\$", dest), drilldown_search)

This seems a bit convoluted and I need a statement for each $var$.

Also I found if I do not use the if(like(... then replace returns drilldown_search as null if it does not match.

Is there a better way of doing this?

koshyk · ‎10-23-2017

Have a try

  `notable`
| stats count by drilldown_search,dest,src,user
| foreach * [eval drilldown_search=replace(drilldown_search,"\$<<FIELD>>\$", <<FIELD>>)]

The important thing to note here is, stats count statement will ensure the fields that have values only will come out. If you need to accommodate null values, you may need to fiddle but the logic should work.

View solution in original post

niketn · ‎10-23-2017

@nightflame, can you share some of the outputs of macro notable with few drilldown_search field values. Can it return only $user$ or $dest$ or both?

Besides the $user$ and/or $dest$ values being returned for field drilldown_search, is the macro also returning user and dest fields? What are some of these fields values? Will it be possible for you to share macro code?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

koshyk · ‎10-23-2017

Have a try

  `notable`
| stats count by drilldown_search,dest,src,user
| foreach * [eval drilldown_search=replace(drilldown_search,"\$<<FIELD>>\$", <<FIELD>>)]

The important thing to note here is, stats count statement will ensure the fields that have values only will come out. If you need to accommodate null values, you may need to fiddle but the logic should work.

nightflame · ‎10-24-2017

Is that you Kiran? 🙂

This works a treat.

No not all the fields will exist. I just need to add this in front:

Shame I cannot condense the '| eval user= if(isnull(user),"",user )' etc into one statement where I do not need to know the names of $var$.

Thanks.

elliotproebstel · ‎10-23-2017

If you want to get rid of all instances of the $ character in your drilldown_search field, then rex should work:
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Rex

| rex field=drilldown_search mode=sed "s/\$//g"

nightflame · ‎10-23-2017

That's not quite what I wanted. I want to replace $var$ the value of var, not "var" string. Note the lack of quotes around user in my replace example.

So for example I have a field user="fred"

Then I want to resolve $user$ to "fred", not "user"

Hope that makes sense.

elliotproebstel · ‎10-23-2017

Ah, it does. I misread, sorry. In that case, the answer by @koshyk should do the trick.

Replacing $var$ with var

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation