- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Evaluating dynamically generated field name
I've an event where some field "values" can be concatenated/evaluated to generate a field "name" that exists in the same event. I want to evaluate the generated field name to get its value.
A simple query to imitate this is below. How do I evaluate "foo" so that I get the value "johndoe" (ie "foo" is a reference/pointer to the user)
| stats count | eval user="johndoe" | eval foo="user"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi hsingams2,
almost got it right 😉 Try this:
| makeresults | eval user="johndoe" | eval foo="user" | eval foo2=user
by using "" around the user you tell eval to use user as a string, and by not using "" around user you tell eval to refer to another field called user.
Does that make sense?
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response. I understand that the calling without quotes would work.
The only issue is I can't use the user field directly. It has to be referenced through foo (i.e foo -> user -> johndoe)
My real life case is something similar to this:
... | eval foo=mvindex(split(somefield,"\n"),1)."/STATUS"
As you can see the "foo" here is dynamically generated and contains a field name as a string value (eg. "TEST00123/STATUS") that I want to evaluate.
Hope it makes sense.
