Splunk Search

How do I create a field whose name is the value of another field? Like backticks or eval() in other languages.

Jason
Motivator

I have a set of data, perhaps XML, perhaps 5.x+ PerfMon, and it's in this format:

aName=Field1 aValue=123
aName=Field1 aValue=234
aName=Field2 aValue=345
aName=Field2 aValue=456

I would love to do a | stats avg(Field1) avg(Field2) but I can't get at the values!

How can I create a field with the name of aName, and the value of aValue? This is very similar to backticks or the eval() function in other languages.

Tags (1)
1 Solution

Jason
Motivator

This does not seem to be documented anywhere, but you can use the curly braces to create fields that are based on field values. In the example above, run the following:

| eval {aName}=aValue

And you will end up with:

aName=Field1 aValue=123 Field1=123
aName=Field1 aValue=234 Field1=234
aName=Field2 aValue=345 Field2=345
aName=Field2 aValue=456 Field2=456

And now you can run stats on Field1 and Field2!

You can also append other text to the field names: | eval my{aName}=aValue would create myField1 and myField2 fields.

Naturally, beware using this on fields that have large numbers of values!

View solution in original post

Jason
Motivator

This does not seem to be documented anywhere, but you can use the curly braces to create fields that are based on field values. In the example above, run the following:

| eval {aName}=aValue

And you will end up with:

aName=Field1 aValue=123 Field1=123
aName=Field1 aValue=234 Field1=234
aName=Field2 aValue=345 Field2=345
aName=Field2 aValue=456 Field2=456

And now you can run stats on Field1 and Field2!

You can also append other text to the field names: | eval my{aName}=aValue would create myField1 and myField2 fields.

Naturally, beware using this on fields that have large numbers of values!

mstadler_splunk
Splunk Employee
Splunk Employee

Jason
Motivator

You're welcome. It looks like this only works on the left hand side of the equals sign though.

rharrisssi
Path Finder

Yep, because on the right you don't need them 🙂

Great find, thank you!

0 Karma

chrishi
New Member

Does it work for saved searches?

0 Karma

chrishi
New Member

I found out how to fix my issue: the field value cannot be "-" as in my case.

0 Karma

rharrisssi
Path Finder

Right because you aren't allowed to create a variable with that character alone.

0 Karma

mikelanghorst
Motivator

Wow that's huge, thanks Jason!

0 Karma
Get Updates on the Splunk Community!

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...