Splunk Search

Evaluating dynamically generated field name

hsingams2
Explorer

I've an event where some field "values" can be concatenated/evaluated to generate a field "name" that exists in the same event. I want to evaluate the generated field name to get its value.

A simple query to imitate this is below. How do I evaluate "foo" so that I get the value "johndoe" (ie "foo" is a reference/pointer to the user)
| stats count | eval user="johndoe" | eval foo="user"

Tags (1)
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi hsingams2,

almost got it right 😉 Try this:

 | makeresults | eval user="johndoe" | eval foo="user" | eval foo2=user

by using "" around the user you tell eval to use user as a string, and by not using "" around user you tell eval to refer to another field called user.

Does that make sense?

Hope this helps ...

cheers, MuS

0 Karma

hsingams2
Explorer

Thanks for the response. I understand that the calling without quotes would work.
The only issue is I can't use the user field directly. It has to be referenced through foo (i.e foo -> user -> johndoe)

My real life case is something similar to this:
... | eval foo=mvindex(split(somefield,"\n"),1)."/STATUS"

As you can see the "foo" here is dynamically generated and contains a field name as a string value (eg. "TEST00123/STATUS") that I want to evaluate.

Hope it makes sense.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!