- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to get a list of fields by sourcetype without going down the route of fieldsummary and thought analyzing the props configs would be a good place to start.
I'm starting with EVAL generated fields but not having any luck on the foreach section.
Any pointers would be much appreciated.
| rest splunk_server=local /servicesNS/-/-/configs/conf-props
| table title EVAL-a*
| eval eval_fields=""
| foreach EVAL-*
[ eval eval_fields=if(isnotnull(<<FIELD>>), mvappend(eval_fields,'<<MATCHSTR>>'), eval_fields) ]
| table title eval_fields *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/de369/de36955662072a2b0e69a9b2caf31b826d7a55e8" alt="kamlesh_vaghela kamlesh_vaghela"
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Can you please try this in foreach?
[ eval eval_fields= if(isnotnull('<<FIELD>>'), mvappend(eval_fields,"<<MATCHSTR>>"), eval_fields) ]
I hope this will help you.
Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/00ea7/00ea728ddd59db76fcdafc5039051fc288625212" alt="richgalloway richgalloway"
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
You're very close. The <<FIELD>> specifier should be enclosed in single quotes so Splunk treats "EVAL-action" as a field name instead of an expression. Also, <<MATCHSTR>> should be in double quotes so the string "action" rather than the non-existent field 'action' is appended to eval_fields.
| rest splunk_server=local /servicesNS/-/-/configs/conf-props
| fields title EVAL-a*
| eval eval_fields=""
| foreach EVAL-*
[ eval eval_fields=if(isnotnull('<<FIELD>>'), mvappend(eval_fields,"<<MATCHSTR>>"), eval_fields) ]
| table title eval_fields *
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Rich. I was thinking along the lines of putting anything in double quotes would be interpreted literally so <<MATCHSTR>> would have ended up in my multivalue field.
Thanks for the detailed explanation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/00ea7/00ea728ddd59db76fcdafc5039051fc288625212" alt="richgalloway richgalloway"
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Understood. Like $tokens$ in dashboards and the map command, <<tokens>> in foreach are always expanded, even when quoted.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/de369/de36955662072a2b0e69a9b2caf31b826d7a55e8" alt="kamlesh_vaghela kamlesh_vaghela"
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
Can you please try this in foreach?
[ eval eval_fields= if(isnotnull('<<FIELD>>'), mvappend(eval_fields,"<<MATCHSTR>>"), eval_fields) ]
I hope this will help you.
Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're a legend KV ! Thanks a million.
Been annoying me all day trying to figure out this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/de369/de36955662072a2b0e69a9b2caf31b826d7a55e8" alt="kamlesh_vaghela kamlesh_vaghela"
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
😊😍
data:image/s3,"s3://crabby-images/2f34b/2f34b8387157c32fbd6848ab5b6e4c62160b6f87" alt=""