Re: How can I use a field value as a field name an...

rahul_jasrotia · ‎05-27-2015

Hi,

I have a requirement where I want to make a common error dashboard for a set of apps with a textbox. There is an Errorid field which has different values for different applications i.e Errorid can be ID for 1 application and racfid for another. So I have made a lookup where, for an Appid, I find out the corresponding Errorid.

Now if I write the following search:

index=_internal |lookup lookup_name Appid OUTPUT Errorid

This gives me the correct Errorid Fieldname (like ID) as the field value in the field Errorid (i hope I'm clear on this)

Now I want to somehow make this field value as the fieldname to search further like below:-

index=_internal |lookup lookup_name Appid OUTPUT Errorid|Errorid.value(like ID)=$textboxvalue$|and so on

Am i doing anything wrong? please advise

stephanefotso · ‎05-27-2015

Here is an example

<form>
  <label>Text Form Input Element</label>
  <description>Top N Sourcetypes using Text Form Input</description>
  <fieldset autoRun="true" submitButton="false">
    <input type="text" token="ID" searchWhenChanged="true">
      <label>entern the label you need</label>
      <default>5</default>
    </input>
  </fieldset>
  <row>
    <table>
      <title>Your title goes here</title>
      <searchString>index=_internal |lookup lookup_name Appid OUTPUT Errorid | search ID=$ID$  </searchString>
      <earliestTime>-24h@h</earliestTime>
      <latestTime>now</latestTime>
      <option name="rowNumbers">true</option>
    </table>
  </row>
</form>

SGF

srussell_splunk · ‎05-27-2015

Based on what you've written, field aliasing might be a good solution for you: http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/Addaliasestofields

It allows you to -- in your example -- alias "ID" field to "Errorid" field such that the two searches are identical:

Errorid="Blah"  |

Is the same as:

 ID="Blah" |

rahul_jasrotia · ‎05-27-2015

thanks for the reply,
yeah field alias is an option I tried but that would mean that I need to create some 10-15 aliases. I hope I found something to be able to do it from the search itself.

stephanefotso · ‎05-27-2015

When you say, Errorid.value(like ID)=$textboxvalue$, please Which values your text box is suppose to take in that case? And, is ID is a field in your events?

SGF

rahul_jasrotia · ‎05-27-2015

Hi thanks for the reply,

textbox value will be given by the user, the problem is on the left hand side "Errorid.value(ID)"
Yes ID is a field in my events but this is just 1 case, for a different scenario this ID might be by some other name.

So i want to take the value inside the field errorid and use it as field further in the search string.

stephanefotso · ‎05-27-2015

Means if Errorid has 5 values, you will have 5 textbox?

SGF

rahul_jasrotia · ‎05-27-2015

nopes the textbox will always have one value, its just that the value will be used as a fieldname further in the search.

How can I use a field value as a field name and make that a drop-down value?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

How can I use a field value as a field name and make that a drop-down value?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases