Solved: Found useful trick to have field values as new fie...

splunkreal · ‎12-07-2022

Hello,

we found useful trick to have field values as new fields, for example :

| eval {status}=status | timechart count count(failed) as FAILED | eval failed_percent=FAILED/count*100

How do you call this? Is is documented?

Thanks 🙂

* If this helps, please upvote or accept solution if it solved *

bowesmana · ‎12-07-2022

There is a tiny sentence associated with that feature in the eval documentation page

I believe I have seen this spoken about as 'dummy encoding', but that is not in those pages.

It is a VERY useful feature, as it supports that syntax within any other text, so you can do stuff like

| eval a=random(), b=random(), my_random1_{a}_and_random2_{b}_vars="done"

bowesmana · ‎12-07-2022

There is a tiny sentence associated with that feature in the eval documentation page

I believe I have seen this spoken about as 'dummy encoding', but that is not in those pages.

It is a VERY useful feature, as it supports that syntax within any other text, so you can do stuff like

| eval a=random(), b=random(), my_random1_{a}_and_random2_{b}_vars="done"

Found useful trick to have field values as new fields with {field}