Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field data from fieldname in variable

auradk
Path Finder
‎04-17-2018 10:03 AM

Any way of achieving this:

| makeresults 
| eval Column1="MyData"
| eval TestField="Column1"
| eval Result{TestField}=if('{TestField}'="MyData",1,0)

The reason is simple. I want to define a lookup with all the fieldnames (columns) that is required for a specific category of events.
My current search is larger than this, but i have found this example to describe my problem the best. if i solve this i can solve the rest. The result should be that ResultColumn1 = 1

{TestField} works on the left side of = but not on the right side in the eval.
I tried every combination of TestField including (',",$,$$,<<) but i am not able to retrieve the data from the field which is defined in TestField.
If i use {TestField} on the right side of = i get an error. This is why i have put '{TestField}' in my example above.

I am using Enterprise 7.0.1

Any help is appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-17-2018 10:48 AM

Give this a try

| makeresults 
 | eval Column1="MyData"
 | eval TestField="Column1"
 | eval Result{TestField}=""
 | foreach Result* [| eval "<<FIELD>>"=if('<<MATCHSTR>>'="MyData",1,0)]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-17-2018 10:48 AM

Give this a try

| makeresults 
 | eval Column1="MyData"
 | eval TestField="Column1"
 | eval Result{TestField}=""
 | foreach Result* [| eval "<<FIELD>>"=if('<<MATCHSTR>>'="MyData",1,0)]
0 Karma
Reply
Solved! Jump to solution

auradk
Path Finder
‎04-17-2018 02:56 PM

Thank you so much - i battled with that all day 🙂
It worked like a charm and even made my other query more simpel.
I see now that i simply did not understand the documentation of foreach. Now i do.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...