Evaluating dynamically generated field name

hsingams2 · ‎01-24-2018

I've an event where some field "values" can be concatenated/evaluated to generate a field "name" that exists in the same event. I want to evaluate the generated field name to get its value.

A simple query to imitate this is below. How do I evaluate "foo" so that I get the value "johndoe" (ie "foo" is a reference/pointer to the user)
| stats count | eval user="johndoe" | eval foo="user"

MuS · ‎01-24-2018

Hi hsingams2,

almost got it right 😉 Try this:

 | makeresults | eval user="johndoe" | eval foo="user" | eval foo2=user

by using "" around the user you tell eval to use user as a string, and by not using "" around user you tell eval to refer to another field called user.

Does that make sense?

Hope this helps ...

cheers, MuS

hsingams2 · ‎01-24-2018

Thanks for the response. I understand that the calling without quotes would work.
The only issue is I can't use the user field directly. It has to be referenced through foo (i.e foo -> user -> johndoe)

My real life case is something similar to this:
... | eval foo=mvindex(split(somefield,"\n"),1)."/STATUS"

As you can see the "foo" here is dynamically generated and contains a field name as a string value (eg. "TEST00123/STATUS") that I want to evaluate.

Hope it makes sense.

Evaluating dynamically generated field name

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes