Splunk Search

How can I use a field value as a field name and make that a drop-down value?

rahul_jasrotia
Path Finder

Hi,

I have a requirement where I want to make a common error dashboard for a set of apps with a textbox. There is an Errorid field which has different values for different applications i.e Errorid can be ID for 1 application and racfid for another. So I have made a lookup where, for an Appid, I find out the corresponding Errorid.

Now if I write the following search:

index=_internal |lookup lookup_name Appid OUTPUT Errorid

This gives me the correct Errorid Fieldname (like ID) as the field value in the field Errorid (i hope I'm clear on this)

Now I want to somehow make this field value as the fieldname to search further like below:-

index=_internal |lookup lookup_name Appid OUTPUT Errorid|Errorid.value(like ID)=$textboxvalue$|and so on

Am i doing anything wrong? please advise

0 Karma

stephanefotso
Motivator

Here is an example

<form>
  <label>Text Form Input Element</label>
  <description>Top N Sourcetypes using Text Form Input</description>
  <fieldset autoRun="true" submitButton="false">
    <input type="text" token="ID" searchWhenChanged="true">
      <label>entern the label you need</label>
      <default>5</default>
    </input>
  </fieldset>
  <row>
    <table>
      <title>Your title goes here</title>
      <searchString>index=_internal |lookup lookup_name Appid OUTPUT Errorid | search ID=$ID$  </searchString>
      <earliestTime>-24h@h</earliestTime>
      <latestTime>now</latestTime>
      <option name="rowNumbers">true</option>
    </table>
  </row>
</form>
SGF
0 Karma

srussell_splunk
Splunk Employee
Splunk Employee

Based on what you've written, field aliasing might be a good solution for you: http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/Addaliasestofields

It allows you to -- in your example -- alias "ID" field to "Errorid" field such that the two searches are identical:

Errorid="Blah"  | 

Is the same as:

 ID="Blah" | 
0 Karma

rahul_jasrotia
Path Finder

thanks for the reply,
yeah field alias is an option I tried but that would mean that I need to create some 10-15 aliases. I hope I found something to be able to do it from the search itself.

0 Karma

stephanefotso
Motivator

When you say, Errorid.value(like ID)=$textboxvalue$, please Which values your text box is suppose to take in that case? And, is ID is a field in your events?

SGF
0 Karma

rahul_jasrotia
Path Finder

Hi thanks for the reply,

textbox value will be given by the user, the problem is on the left hand side "Errorid.value(ID)"
Yes ID is a field in my events but this is just 1 case, for a different scenario this ID might be by some other name.

So i want to take the value inside the field errorid and use it as field further in the search string.

0 Karma

stephanefotso
Motivator

Means if Errorid has 5 values, you will have 5 textbox?

SGF
0 Karma

rahul_jasrotia
Path Finder

nopes the textbox will always have one value, its just that the value will be used as a fieldname further in the search.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...