Solved: Is it possible to calculate the value of a field n...

DonDallas71 · ‎06-30-2017

Is it possible to calculate the value of a field name, or assign a field name using a value of a previously calculated field?

In a Splunk search I have a calculated field that is a date like 6/29/2017 and i want to create a field using stats that has that name. I want the actual field/column name to be that calculated date and not some static text.

value of Day1=6/29/2017
value of Day2=6/28/2017
value of Day1Users is a list of all users who logged in on 6/29/2017
value of Day2Users is a list of all users who logged in on 6/29/2017 and 6/28/2017
I want to do something like this

| stats DC(Day1Users) as {Day1}, DC(Day2Users) as {Day2}....

woodcock · ‎06-30-2017

To assign a field name from a field value do this:

| eval {FieldNameWhoseValueShouldBeTheNewFieldName} = whatever.

So if field FieldX has value X and FieldY has a value Y and you do | eval {FieldX} = FieldY then you will have a new field named X that has a value of Y.

View solution in original post

woodcock · ‎06-30-2017

To assign a field name from a field value do this:

| eval {FieldNameWhoseValueShouldBeTheNewFieldName} = whatever.

So if field FieldX has value X and FieldY has a value Y and you do | eval {FieldX} = FieldY then you will have a new field named X that has a value of Y.

DonDallas71 · ‎06-30-2017

That was exactly what I was wanting to do. I had actually tried that, I had just forgotten to carry my date variables through to my stats.

sbbadri · ‎06-30-2017

..... earliest=-2d@d latest=-0d@d | timechart span=1d count by users | eval _time = strftime(_time,"%Y-%m-%d") | fields - _span _spandays | transpose

Is it possible to calculate the value of a field name, or assign a field name using a value of a previously calculated field?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms