Hello,
I'm having an issue with a field search. I have a lookup where I specify for every sourcetype which field is relevant in order to create a ticket. Let's say the csv as the following:
sourcetype,field
sourcetypeA,host
sourcetypeB,dest
Then, I do a lookup to have this field into an unique field accross the sourcetype:
index=test
| lookup fields_relation sourcetype OUTPUT relevant_field
| eval relevant_host = 'relevant_field'
What I want now is to do an eval and set the value of this relevant_field (e.g. For the sourcetypeA I want a variable named relevant_host with the value of host variable). But all the tries let me to only have the string 'host'.
I tried do an eval sorrounding the variable between '' with no luck. Still the string field.
How can I get the variable value?
Thank you!
Try something like this
| makeresults
| eval host="A"
| eval dest="B"
| eval relevant_field="dest"
| eval new_{relevant_field} = "default"
| foreach new_*
[| eval <<FIELD>>=<<MATCHSEG1>>]
Try something like this
| makeresults
| eval host="A"
| eval dest="B"
| eval relevant_field="dest"
| eval new_{relevant_field} = "default"
| foreach new_*
[| eval <<FIELD>>=<<MATCHSEG1>>]
It worked like a charm! Thanks