I have a set of data, perhaps XML, perhaps 5.x+ PerfMon, and it's in this format:
aName=Field1 aValue=123
aName=Field1 aValue=234
aName=Field2 aValue=345
aName=Field2 aValue=456
I would love to do a | stats avg(Field1) avg(Field2)
but I can't get at the values!
How can I create a field with the name of aName, and the value of aValue? This is very similar to backticks or the eval() function in other languages.
This does not seem to be documented anywhere, but you can use the curly braces to create fields that are based on field values. In the example above, run the following:
| eval {aName}=aValue
And you will end up with:
aName=Field1 aValue=123 Field1=123
aName=Field1 aValue=234 Field1=234
aName=Field2 aValue=345 Field2=345
aName=Field2 aValue=456 Field2=456
And now you can run stats on Field1
and Field2
!
You can also append other text to the field names: | eval my{aName}=aValue
would create myField1
and myField2
fields.
Naturally, beware using this on fields that have large numbers of values!
This does not seem to be documented anywhere, but you can use the curly braces to create fields that are based on field values. In the example above, run the following:
| eval {aName}=aValue
And you will end up with:
aName=Field1 aValue=123 Field1=123
aName=Field1 aValue=234 Field1=234
aName=Field2 aValue=345 Field2=345
aName=Field2 aValue=456 Field2=456
And now you can run stats on Field1
and Field2
!
You can also append other text to the field names: | eval my{aName}=aValue
would create myField1
and myField2
fields.
Naturally, beware using this on fields that have large numbers of values!
Found the documentation here:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval#General
You're welcome. It looks like this only works on the left hand side of the equals sign though.
Yep, because on the right you don't need them 🙂
Great find, thank you!
Does it work for saved searches?
I found out how to fix my issue: the field value cannot be "-" as in my case.
Right because you aren't allowed to create a variable with that character alone.
Wow that's huge, thanks Jason!