Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I use the value of one field as name of another field?

JoeIII
Path Finder
‎05-17-2013 06:53 AM

Splunk 5.0.2

Example: windows "Perfmon:Free Disk Space"

Each check is actually two events, one with the free space in MD, one in percent like this:

search: source="Perfmon:Free Disk Space"

first two results:

05/17/2013 08:59:29.087<br>
collection="Free Disk Space"<br>
object=LogicalDisk<br>
counter="% Free Space"<br>
instance=_Total<br>
Value=23.842293475974397<br>

05/17/2013 08:59:29.087<br>
collection="Free Disk Space"<br>
object=LogicalDisk<br>
counter="Free Megabytes"<br>
instance=_Total<br>
Value=31736<br>

I make these into transactions to bring this information together:

Search: source="Perfmon:Free Disk Space" | transaction host instance _time

first result:

05/17/2013 09:00:59.656<br>
collection="Free Disk Space"<br>
object=LogicalDisk<br>
counter="Free Megabytes"<br>
instance=_Total<br>
Value=121005<br>
05/17/2013 09:00:59.656<br>
collection="Free Disk Space"<br>
object=LogicalDisk<br>
counter="% Free Space"<br>
instance=_Total<br>
Value=20.732246391710184<br>

If I could rename the "Value" field to the value of the "counter" field before my transaction command I would have something along the lines of::

05/17/2013 09:00:59.656<br>
collection="Free Disk Space"<br>
object=LogicalDisk<br>
counter="Free Megabytes"<br>
instance=_Total<br>
Free Megabytes=121005<br>
05/17/2013 09:00:59.656<br>
collection="Free Disk Space"<br>
object=LogicalDisk<br>
counter="% Free Space"<br>
instance=_Total<br>
% Free Space=20.732246391710184<br>

I could then make tables charts graphs alerts etc based on those values and have both the space in megabytes and the percent available. For example, on a drive with multiple terabytes of disk space, 10% free isn't that big a deal but only having a few thousand meg free would be an issue, on a drive with only a few dozen gigabytes 10% free may be critical where a few thousand megabytes is "normal"

I know I could use a case argument but that only adresses this one instance, I'm looking for a tool I can use again in the future.

the closest i've come is this:

Search: source="Perfmon:Free Disk Space" | chart first(Value) over host by counter

give me <Hostname> <% Free Space> <Free Megabytes>

which is "ok" but doesn't account for multiple instances (in this example, i have an instance for each drive then one for _Total)

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎05-17-2013 07:09 AM

From a strictly search format:

source="Perfmon:Free Disk Space" | eval ReportKey = instance.":".counter | chart latest(Value) over host by ReportKey

Otherwise, you can setup some props/transforms but it gets hairy with different fields.

View solution in original post

Reply
Solved! Jump to solution

Jason
Motivator
‎09-26-2013 01:43 AM

Yes, this is possible, and very useful for Perfmon with its counter= value= format. Try this:

| eval {counter}=value

This naturally only works when you have a small number of values of counter where you can explicitly state them in a stats, or perhaps use fields beforehand to narrow down the number of available fields for a stats *

http://answers.splunk.com/answers/103700/how-do-i-create-a-field-whose-name-is-the-value-of-another-...

Reply
Solved! Jump to solution

JoeIII
Path Finder
‎10-16-2013 07:39 AM

Very cool - I like this solution as well.

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎05-17-2013 07:46 AM

Another way is to use if;

source="Perfmon:Free Disk Space" 
| eval Free_MB = if(counter == "Free Megabytes", Value, null()) 
| eval Free_perc = if(counter == "% Free Space", Value, null())
| your reporting commands as needed

This should give you new fields with the 'right' names.

/K

Reply
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎05-17-2013 07:09 AM

From a strictly search format:

source="Perfmon:Free Disk Space" | eval ReportKey = instance.":".counter | chart latest(Value) over host by ReportKey

Otherwise, you can setup some props/transforms but it gets hairy with different fields.

Reply
Solved! Jump to solution

alacercogitatus
SplunkTrust
SplunkTrust
‎05-17-2013 12:14 PM

If I have answered your question (or close enough to what you were looking for), please accept it. Thanks!

0 Karma
Reply
Solved! Jump to solution

JoeIII
Path Finder
‎05-17-2013 08:01 AM

Thank you, in this instance I actually like the following better:

source="Perfmon:Free Disk Space" | eval HostInstance = host.":".instance | chart latest(Value) over HostInstance by counter

giving me one set of MB/% per line.

in this particular example, this is an acceptible solution, but it may not work every time I'm looking for a similar solution.

0 Karma
Reply
Get Updates on the Splunk Community!

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...
Top